How to Implement EAP authentication in Radius protocol

Source: Internet
Author: User

How to Implement EAP Authentication (Extended Authentication Protocol) in Radius Protocol is located in PPP Authentication Protocol, and provides a general framework for different Authentication methods. EAP is used to pass authentication information between the requester and the authentication server. Actual authentication is defined and processed according to the EAP type. EAP is not an authentication mechanism, but a general architecture. Used to transmit the actual authentication protocol. The advantage of EAP is that when a new authentication protocol is developed, the basic EAP mechanism does not need to change. Currently, there are more than 20 different EAP protocols. For example, the Protocol framework of EAP can exchange information between the device and the RADIUS server in two ways. One is that the EAP Protocol packets are carried in the RADIUS Protocol using the EAPOR (EAP over RADIUS) Encapsulation Format; the other is that the device ends the EAP Protocol packets using the Password Authentication Protocol, password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocal, Challenge Handshake Authentication Protocol) packets are authenticated with the RADIUS server. In this way, there are two authentication methods in the authentication process: EAP relay and EAP termination. the EAP relay method is stipulated by the IEEE 802.1X Standard. It carries EAP (Extended Authentication Protocol) in other high-level protocols, such as EAP over RADIUS, this allows Extended Authentication Protocol packets to pass through complex networks to the authentication server. In general, the RADIUS server is required to support EAP attributes in the EAP relay mode: EAP-Message and Message-Authenticator. The EAP termination method terminates the EAP packets on the device and maps them to the RADIUS packets. Standard RADIUS protocol is used for authentication, authorization, and billing. You can use the PAP or CHAP authentication method between the device and the RADIUS server. In RFC2869, RADIUS adds two attributes to support EAP authentication: EAP-Message (EAP Message) and Message-Authenticator (Message authentication code ). EAP-Message graph EAP-Message attribute encapsulation. This attribute is used to encapsulate EAP data packets. The type code is 79 and the String field can contain a maximum of 253 bytes. If the EAP data packet length is greater than 253 bytes, it can be sliced and encapsulated in multiple EAP-Message attributes in sequence. The EAP-Authenticator attribute in the Message-Authenticator graph of This attribute is used to prevent access request packets from being eavesdropped when using authentication methods such as EAP and CHAP. Message-Authenticator must be included in the packets that contain the EAP-Message attribute. Otherwise, the packets are discarded because they are considered invalid. Author Wang Hao

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.