EAP, Extensible Authentication Protocol

Description Glossary RFCs Publications Obsolete RFCs


Protocol suite: PPP.
Protocol type:PPP link control protocol.
PPP protocol:0xC227.
MIME subtype:
Working groups: eap, Extensible Authentication Protocol.
emu, EAP Method Update.
hokey, Handover Keying.
pppext, Point-to-Point Protocol Extensions.
Links: IANA: EAP numbers.
IANA: PPP Assigned numbers.
wiki: EAP.

An authentication protocol which supports multiple authentication mechanisms. EAP typically runs directly over the link layer without requiring IP and therefore includes its own support for in-order delivery and retransmission. While EAP was originally developed for use with PPP, it is also in use with IEEE 802.11.

EAP is a lock step protocol which only supports a single packet in flight. As a result, EAP cannot efficiently transport bulk data.

RFC 2284, pages 2 and 3:

By default, authentication is not mandatory. If authentication of the link is desired, an implementation MUST specify the Authentication-Protocol Configuration Option during Link Establishment phase.

These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations.

EAP is a general protocol for PPP authentication which supports multiple authentication mechanisms. EAP does not select a specific authentication mechanism at Link Control Phase, but rather postpones this until the Authentication Phase. This allows the authenticator to request more information before determining the specific authentication mechanism. This also permits the use of a "back-end" server which actually implements the various mechanisms while the PPP authenticator merely passes through the authentication exchange.

PPP header EAP header Data :::

EAP header:

0001020304050607 0809101112131415 1617181920212223 2425262728293031
Code Identifier Length
Data :::

Code. 8 bits.
Specifies the function to be performed.

1Request. RFC 3748
2Response. RFC 3748
3Success. RFC 3748
4Failure. RFC 3748
5Initiate. RFC 5296
6Finish. RFC 5296

Identifier. 8 bits.
Used to match EAP requests and replies.

Length. 16 bits.
Size of the EAP packet including the EAP header and data fields.

Data. Variable length.
Zero or more bytes of data as indicated by the Length field.

Type. 8 bits.

1Identity. RFC 3748
2Notification. RFC 3748
3Nak (Response only). RFC 3748
4MD5-Challenge. RFC 3748
5OTP, One Time Password. RFC 2289, RFC 3748
6GTC, Generic Token Card. RFC 3748
  RFC 3748
9RSA Public Key Authentication. 
10DSS Unilateral. 
13 EAP-TLS, EAP TLS Authentication Protocol. RFC 2716, RFC 5216
14Defender Token (AXENT). 
15RSA Security SecurID EAP. 
16Arcot Systems EAP. 
17EAP-Cisco Wireless. 
18 EAP-SIM, GSM Subscriber Identity Modules.RFC 4187
19SRP-SHA1 Part 1. 
21EAP-TTLS, EAP Tunneled TLS Authentication Protocol.RFC 5281
22Remote Access Service 
23 EAP-AKA, EAP method for 3rd Generation Authentication and Key Agreement. RFC 4187
24EAP-3Com Wireless. 
25PEAP, Protected EAP. 
27MAKE, Mutual Authentication w/Key Exchange. 
31Rob EAP. 
32EAP-POTP, Protected One-Time Password.RFC 4793
35EAP-Actiontec Wireless. 
36Cogent Systems Biometrics Authentication EAP. 
37AirFortress EAP. 
38EAP-HTTP Digest. 
39SecureSuite EAP. 
40DeviceConnect EAP. 
43 EAP-FAST, EAP Flexible Authentication via Secure Tunneling. RFC 4851
44ZLXEAP, ZoneLabs EAP. 
46EAP-PAX, EAP Password Authenticated eXchange. 
47 EAP-PSK, EAP Pre-Shared Key Extensible Authentication.RFC 4764
48EAP-SAKE, EAP Shared-secret Authentication and Key Establishment. RFC 4763
49EAP-IKEv2.RFC 5106
50 EAP-AKA', Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement. RFC 5448
Available via review by designated expert. RFC 3748
Reserved for allocation via standards sction. RFC 3748
254 Expanded Type. RFC 3748
255experimental. RFC 3748


The host requiring the authentication. The authenticator specifies the authentication protocol to be used in the Configure-Request during the Link Establishment phase.

backend authentication server.
An entity that provides an authentication service to an authenticator. When used, this server typically executes EAP methods for the authenticator.

EAP server.
The entity that terminates the EAP authentication method with the peer. In the case where no backend authentication server is used, the EAP server is part of the authenticator. In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server.

EMSK, Extended Master Session Key.
Additional keying material derived between the EAP client and server that is exported by the EAP method. The EMSK must be at least 64 bytes in length. The EMSK is not shared with the authenticator or any other third party. The EMSK is reserved for future uses that are not defined yet.

MIC, Message Integrity Check.
A keyed hash function used for authentication and integrity protection of data.

MSK, Master Session Key.
Keying material that is derived between the EAP peer and server and exported by the EAP method. The MSK must be at least 64 bytes in length. In existing implementations, a AAA server acting as an EAP server transports the MSK to the authenticator.

The host which is being authenticated by the authenticator.


[RFC 2716] PPP EAP TLS Authentication Protocol.

[RFC 2869] RADIUS Extensions.

[RFC 3579] RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP).

[RFC 3748] Extensible Authentication Protocol (EAP).

[RFC 4017] Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs.

[RFC 4137] State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator.

[RFC 4186] Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM).

[RFC 4187] Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA).

[RFC 4284] Identity Selection Hints for the Extensible Authentication Protocol (EAP).

[RFC 4334] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).

[RFC 4851] The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST).

[RFC 5247] Extensible Authentication Protocol (EAP) Key Management Framework.

[RFC 5296] EAP Extensions for EAP Re-authentication Protocol (ERP).

[RFC 5448] Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA').


Obsolete RFCs:

[RFC 2284] PPP Extensible Authentication Protocol (EAP).

[RFC 3770] Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN).

Description Glossary RFCs Publications Obsolete RFCs