The Extensible Authentication Protocol
EAP is supported in the new
RADIUS extensions and allows for new
authentication types to be used over links running on the PPP
protocol. Authentication schemes such as public key, smart cards,
one-time passwords, Kerberos, and others are supported over PPP when
EAP is used. To support EAP, RADIUS includes two new
attributes—EAP-Message
and
Message-Authenticator
—that are described in
this section.
Typically, the RADIUS server acts as an intermediary between the
client and a backroom proprietary security and authentication server.
It normally encapsulates the EAP packets within a standard RADIUS
packet, using the EAP-Message
attribute, and then
transmits them back and forth between the two machines. This lets the
RADIUS server talk to the other proprietary authentication server
using a standard protocol that requires no special modifications on
the RADIUS server. It can still fully support standard RADIUS
requests with reduced overhead.
A typical EAP over RADIUS transaction occurs in a standard format, which is outlined here:
The dial-up client and the RADIUS client gear negotiate the use of EAP within their specific link control protocol—this is most commonly PPP.
The RADIUS client then sends an
EAP-Request/Identity
message to the client unless its identity has been verified through some other means, such as callback or caller ID.The dial-up client then responds with an
EAP-Response/Identity
message.The RADIUS client gear receives this response ...
Get RADIUS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.