Understanding 802.1X Authentication and Common EAP Types

802.1X and EAP How They Work

802.1X uses three components—Supplicant (client), Authenticator (e.g., wireless AP), and Authentication server (e.g., RADIUS)—to authenticate devices. The protocol carries Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server over an encrypted point‑to‑point link, with the authenticator acting as a mediator.

When the authenticator initiates authentication, the supplicant presents its identity and awaits a challenge from the server. The server selects an EAP method, and upon successful verification the supplicant gains network access.

802.1X uses EAP at OSI layer 2, so no IP connectivity is required. Wireless security standards such as WEP, WPA2, and WPA3 support EAP.

EAP Types

EAP-MD5

LEAP

PEAP

EAP‑SIM

EAP‑AKA

EAP‑TLS

EAP‑MS‑CHAPv2

EAP‑TTLS

EAP‑FAST

EAP‑GTC

EAP‑MD5

EAP‑MD5, defined in RFC 2284, provides one‑way client authentication by sending a random challenge that the client hashes with its password. It offers low security, is vulnerable to dictionary and man‑in‑the‑middle attacks, and does not provide key material, making it unsuitable for WLAN.

LEAP

LEAP (Cisco’s lightweight EAP) uses a similar challenge‑response mechanism and then exchanges a dynamic WEP key. It is proprietary, limited to Cisco equipment, and also vulnerable to dictionary attacks.

PEAP

PEAP creates a TLS tunnel using a server certificate, then runs an inner EAP method (commonly EAP‑MS‑CHAPv2 or EAP‑GTC) for authentication. Cisco and Microsoft support different PEAP versions; compatibility must be ensured.

EAP‑SIM

EAP‑SIM, defined in RFC 4186, authenticates devices using the SIM card in GSM networks, allowing roaming between Wi‑Fi hotspots and cellular networks.

EAP‑AKA

EAP‑AKA (RFC 4187) is similar to EAP‑SIM but uses USIM credentials and stronger derived keys; updated versions (EAP‑AKA′ and EAP‑AKA′‑PFS) add SHA‑256 and perfect forward secrecy for 5G.

EAP‑TLS

EAP‑TLS (RFC 5216) provides mutual authentication with digital certificates and is considered the strongest EAP method, though it requires a PKI infrastructure.

EAP‑MS‑CHAPv2

EAP‑MS‑CHAPv2 encapsulates Microsoft’s CHAP, can be used inside PEAP, and is convenient for environments that already use Active Directory credentials, but it is less secure than certificate‑based methods.

EAP‑TTLS

EAP‑TTLS (RFC 5281) tunnels traditional password‑based authentication inside TLS, allowing reuse of existing credential stores while improving security over plain passwords.

EAP‑FAST

EAP‑FAST (Cisco) creates a TLS‑like tunnel and uses a Protected Access Credential (PAC) for subsequent authentications, offering a lower‑cost alternative to certificates.

EAP‑GTC

EAP‑GTC carries one‑time passwords generated by security tokens and is often used inside PEAP for two‑factor authentication.

Checking EAP Compatibility

Network teams should verify which EAP types their equipment supports and ensure consistent configuration across multi‑vendor WLAN deployments. Organizations using credential‑based EAP must enforce strong password hygiene, while those using certificate‑based methods must maintain proper certificate management.