Expressvpn Glossary
Extensible Authentication Protocol (EAP)
What is the Extensible Authentication Protocol?
The Extensible Authentication Protocol (EAP) is an authentication framework that enables a supplicant, also called a peer, and an authenticator, such as a wireless access point or network switch, to authenticate using a selected method, such as certificates, passwords, one-time passwords, tokens, or smart cards.
Its core purpose is to decouple the authentication method from the network access technology, allowing multiple methods to be supported or added without changes to the underlying infrastructure.
How does the Extensible Authentication Protocol work?
EAP typically operates at the data link (Layer 2) over the Point-to-Point Protocol (PPP) or the Institute of Electrical and Electronics Engineers (IEEE) 802 networks, a family of networking standards, so authentication can take place before an IP address is assigned.
The process follows a standard exchange: the supplicant connects to the authenticator, which sends an EAP-Request/Identity message. The supplicant's response is forwarded to a backend authentication server, typically the Remote Authentication Dial-In User Service (RADIUS) server. The server and supplicant then select an EAP method and exchange the corresponding authentication message.
Based on the outcome, the server issues an EAP-Success or EAP-Failure, and the authenticator grants or blocks network access accordingly. Because EAP can run over link-layer technologies, this general process applies across wired, wireless, and PPP-based connections, though the exact encapsulation differs by network type.
Types of Extensible Authentication Protocol
- EAP-Transport Layer Security (EAP‑TLS): Uses TLS for certificate-based mutual authentication; in typical deployments, both the supplicant and the server present certificates.
- Protected EAP (PEAP): Establishes a TLS tunnel using a server certificate, then runs a simpler inner EAP method, commonly password-based, inside it.
- EAP-Tunneled TLS (EAP‑TTLS): Similar to PEAP; creates a TLS tunnel with a server certificate and supports a wider range of inner methods, including legacy password-based and non-EAP protocols.
- EAP-Flexible Authentication via Secure Tunneling (EAP‑FAST): Establishes a secure tunnel using Protected Access Credentials (PACs), which can replace or supplement certificates, and exchanges Type-Length-Value (TLV) objects within the tunnel.
- SIM‑based methods: Methods like EAP-Authentication and Key Agreement (EAP‑AKA) authenticate subscribers using pre-shared secrets stored on SIM or Universal SIM (USIM), or similar subscriber identity modules. They're commonly used in mobile and carrier networks.
Certificate-based methods, such as EAP-TLS, provide mutual authentication. Tunnel-based methods (PEAP, EAP-TTLS, and EAP-FAST) establish a protected tunnel first to secure the inner authentication exchange, which is often password-based.
Why is the Extensible Authentication Protocol important?
EAP strengthens network authentication by supporting individual user or device credentials instead of relying on a shared network password. When paired with IEEE 802.1X (a standard for port-based network access control that restricts traffic on a port until authentication succeeds), each user or device authenticates separately, giving administrators granular control over access and limiting exposure if a single account is compromised.
TLS-based EAP methods can provide additional protection by enabling server authentication and, in methods such as EAP-TLS, mutual authentication and unique key derivation. This helps secure wireless traffic against risks such as eavesdropping, credential theft, and replay attacks when properly configured.
Where is the Extensible Authentication Protocol used?
- Enterprise Wi-Fi: Most common deployment; 802.1X with EAP secures corporate wireless networks.
- Virtual private network (VPN) and remote access: EAP can authenticate users over remote access, including PPP-based tunnels and some built-in VPN types, before granting access to internal resources.
- Campus and corporate wired networks: 802.1X port-based access control uses EAP to authenticate devices on Ethernet ports.
- Mobile carrier networks: SIM-based methods (EAP-AKA, EAP-SIM) authenticate subscribers using SIM, USIM, or similar subscriber identity modules.
- Zero-trust-aligned access environments: EAP supports per-user and per-device authentication at network access, aligning with zero-trust principles when combined with broader identity, device posture, and access controls.
Risks and privacy concerns
Not all EAP methods offer the same level of security. Some weaker methods lack mutual authentication and are vulnerable to offline dictionary attacks. Misconfigured supplicants that fail to validate server certificates expose credentials to man-in-the-middle (MITM) attacks.
EAP-FAST’s server-unauthenticated PAC provisioning mode can be vulnerable to interception if the tunnel is established without server certificate validation.
Networks that still support legacy methods alongside stronger ones can introduce downgrade risk, in which an attacker attempts to steer the negotiation toward a weaker method. Some EAP exchanges may also transmit an outer identity in clear text before a protected tunnel is established, potentially leaking user information and raising privacy concerns.
Further reading
- Authentication vs. authorization: What’s the difference?
- What is access control? How it works and why it matters
- What is MAC address spoofing?
- What is PKI, and why does it matter for online security?
- What is a certificate authority, and how does it work?
