EAP is supported in the new
RADIUS extensions and allows for new
authentication types to be used over links running on the PPP
protocol. Authentication schemes such as public key, smart cards,
one-time passwords, Kerberos, and others are supported over PPP when
EAP is used. To support EAP, RADIUS includes two new
Message-Authenticator—that are described in
Typically, the RADIUS server acts as an intermediary between the
client and a backroom proprietary security and authentication server.
It normally encapsulates the EAP packets within a standard RADIUS
packet, using the
EAP-Message attribute, and then
transmits them back and forth between the two machines. This lets the
RADIUS server talk to the other proprietary authentication server
using a standard protocol that requires no special modifications on
the RADIUS server. It can still fully support standard RADIUS
requests with reduced overhead.
A typical EAP over RADIUS transaction occurs in a standard format, which is outlined here:
The dial-up client and the RADIUS client gear negotiate the use of EAP within their specific link control protocol—this is most commonly PPP.
The RADIUS client then sends an
EAP-Request/Identity message to the client unless
its identity has been verified through some other means, such as
callback or caller ID.
The dial-up client then responds with an
The RADIUS client gear receives this response ...