extensible authentication protocol was designed to solve a major problem, the assignment of an IP address after authentication in an IP network . IPSec and SSL run on an IP layer with knowledge of the IP address. Today EAP has become an important part for WLAN. EAP can be used over layer-2, over IP, or any other higher layer; it was designed as an extension of point-to-point protocol (PPP).
extensible authentication protocol does not provide authentication; it is only a wrapper that gives flexibility in usage of any kind of authentication protocol. Thus an AP does not need to know all the kinds of authentication protocols. Due to a lack of space, a detailed explanation of the discussed EAP protocols is not possible; the authors hope that the message sequence charts (MSCs) help the readers to understand the protocols.
The EAP-TLS procedure is basically the SSL/TLS procedure wrapped in an EAPOL packet . The only difference is that in the authentication success message from the authentication server the session key is sent to the authenticator . In EAP–TLS mutual authentication is achieved by the mandatory certificate used at both the client and server side.
The communication between the authenticator (AP) and the authenticator server (e.g., RADIUS server) can be encrypted by the AP-RADIUS key. On authentication success the message is also encrypted by a master key which is only known by the station (supplicant) and the authenticator server. With this success message the session key is sent by the authentication server to the AP.
The use of a client certificate that is not understood by the end user, lack of user identity protection, and unprotected EAP-success/fail messages are drawbacks or weaknesses of TLS. This has led to development of EAP-tunneled TLS (TTLS) and protected EAP (PEAP). These two are explained below.