Summit Knowledge Center

EAP

EAP (Extensible Authentication Protocol) is the authentication framework used with IEEE 802.1X, which is a component of WPA-Enterprise and WPA2-Enterprise. With some Wi-Fi infrastructures, EAP authentication also can be used outside of a WPA or WPA2 context.

You can read the original definition of EAP at RFC 3748 and an updated definition at RFC 5247.

When SCU is used to configure security settings, seven EAP types are supported: EAP-TLS, EAP-TTLS, PEAP-TLS, PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST, and LEAP. For details, see the sections on EAP Type and EAP Credentials.

Related Topics:

EAP Credentials

For each EAP type supported by SCU, the table below shows the selections in the SCU Credentials box:

EAP-Type

User

Password

CA Cert

Validate Server

User MS Store

Others

PEAP-MSCHAP

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)

Filename (up to 32 characters)

See Note on CA Cert Field

See Note on Validate Server Checkbox

See Note on Use MS store Checkbox


PEAP-GTC

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)

Filename (up to 32 characters)

See Note on CA Cert Field

See Note on Validate Server Checkbox

See Note on Use MS store Checkbox


PEAP-TLS

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)

Filename (up to 32 characters)

See Note on CA Cert Field

See Note on Validate Server Checkbox

See Note on Use MS store Checkbox


EAP-TTLS

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)

Filename (up to 32 characters)

See Note on CA Cert Field

See Note on Validate Server Checkbox

See Note on Use MS store Checkbox


EAP-TLS

Username or Domain/Username (up to 64 characters)


Filename (up to 32 characters)

See Note on CA Cert Field

See Note on Validate Server Checkbox

See Note on Use MS store Checkbox

User Cert

See Note on User Cert

EAP-FAST

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)




PAC Filename (up to 32 characters)
PAC Password (up to 32 characters)

LEAP

Username or Domain/Username (up to 64 characters)

Password (up to 32 characters)





Note on CA Cert Field: This is the filename of the root certificate authority digital certificate. Leave this blank if the Use MS Store checkbox is checked.

Note on Validate Server Checkbox: Check this if you are using a CA certificate to validate an authentication server. When this is checked, you must enter a certificate filename in the CA Cert field or check the Use MS store checkbox.

Note: Summit strongly recommends the use of server validation with PEAP-GTC.

Note on Use MS Store Checkbox: Check this if the Microsoft certificate store should be used for a CA certificate. This is applicable only when Validate Server is checked.

Note on User Cert: Tap the "..." button to select a user (or station) certificate from the Microsoft certificate store. Do not enter a filename; the user certificate must reside in the Microsoft certificate store. When you browse for a certificate, the pop-up box displays Issued By and Issued To.

Of the seven EAP types supported by SCU, all but EAP-FAST and LEAP rely upon information in digital certificates that are created by a certificate authority (CA). To enable a station device to authenticate the server, you must provide a root CA certificate and distribute it to that station. You can store the CA certificate in a device's Microsoft certificate store or in a specified directory (see Certs Path for additional information regarding a specified directory).

Note: For EAP-TLS, you must also generate a user certificate for each station. The user certificate must be stored in the Microsoft certificate store on the station.

EAP Types

802.1X EAP types supported by SCU are:

EAP-FAST

Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling

A protocol that was designed to address the vulnerabilities of LEAP while keeping a "lightweight" implementation. It uses a PAC (Protected Access Credential) to create a TLS tunnel where client credentials are verified.

EAP-TLS

Extensible Authentication Protocol-Transport Layer Security

EAP-TLS (created by Microsoft) requires an exchange of proof of identities through public key cryptography (such as digital certificates). EAP-TLS secures this exchange with an encrypted TLS tunnel which helps to resist dictionary or other MitM (Man in the Middle) attacks.

EAP-TTLS

Tunneled Transport Layer Security

EAP-TTLS enables WLAN station authentication without requiring the stations to have certificates which creates a simplified architecture of secure WLANs. User authentication is performed by password, but the password credentials are transported in a securely encrypted tunnel established based upon the server certificates.

PEAP

Protected Extensible Authentication Protocol or Protected EAP

A protocol that creates an encrypted (and more secure) channel before the password-based authentication occurs.

PEAP-GTC

Generic Token Card

An authentication mechanism that allows generic authentication to a number of databases and uses a one-time password (OTP is a password that is only valid for a single login session).

PEAP-MSCHAPv2

Protected EAP-Microsoft Challenge Handshake Authentication Protocol - version 2

A protocol designed for a wireless network that is not configured for PKI (public key infrastructure).

PEAP-TLS

Protected Extensible Authentication Protocol-Transport Layer Security

LEAP

Lightweight Extensible Authentication Protocol

A proprietary EAP mutual authentication protocol developed by Cisco Systems that uses a username and password system.

Related Topics:

EEPROM

Electrically Erasable Programmable Read-Only Memory; a means of saving information that must remain in the absence of a power supply (non-volatile memory).

Electronic Health Record (EHR)

An electronic health record (EHR) is similar to an electronic medical record with a few identifiable differences (the concept is still in formation). Conceptually, an electronic health record is designed to facilitate sharing between different health care environments, enabling more accurate medical data that follows the patient. This ensures that no matter where a patient is treated, medical personnel have access to the most accurate patient records.

Electronic Medical Record (EMR)

An electronic medical record (EMR) is a computerized medical record analogous to a patient's chart or history. Electronic medical records are built, stored, and maintained in a location where medical treatment is given.

Enable Radio/Disable Radio

Enable Radio/Disable Radio is an SCU Main window feature. When the radio is enabled, select this button (which displays Disable Radio) to disable it. When the radio is disabled, select the same button (which now displays Enable Radio) to enable it. When disabled, the radio does not attempt to make a connection to an access point.

Encryption

Encryption involves scrambling transmitted data so that it can be read only by the intended receiver, which has the proper key to decrypt unscramble the encrypted data.

In SCU, the Encryption setting in a profile can refer not just to an encryption method but also to an authentication method and an encryption key management protocol. The following table provides an explanation of SCU Encryption settings:

Profile Setting

Authentication

Encryption

Key Management

None

None

None

None

WEP

None

WEP

Static (in SCU)

WEP EAP

EAP type

WEP

Dynamic (from EAP)

CKIP

None

WEP+CKIP+CMIC

Static (in SCU)

CKIP EAP

EAP type

WEP+CKIP+CMIC

Dynamic (from EAP)

WPA-PSK

PSK/password (in SCU)

TKIP

WPA

WPA-TKIP

EAP type

TKIP

WPA

WPA CCKM

EAP type

TKIP

WPA+CCKM

WPA2-PSK

PSK/password (in SCU)

AES-CCMP

WPA2

WPA2 AES

EAP type

AES-CCMP

WPA2

WPA2 CCKM

EAP type

AES-CCMP

WPA2+CCKM

End Product Listing (EPL)

Signifies that a Bluetooth module does not require any additional testing or approvals from a global Bluetooth perspective and allows the OEM to fully market their device using the Bluetooth name and logos.

Ethernet

A set of networking technologies intended for LAN (local area networks). Also knows as 802.3.

Related Topics:

ETSI

European Telecommunications Standards Institute (ETSI) is the standards body for most of Europe, Africa, the Middle East, and parts of Asia. For more information: http://www.etsi.org/.

According to the Radio and Telecommunications Terminal Equipment (R&TTE) Directive, the manufacturer must issue a Declaration of Conformity (DoC) indicating device compliance with the basic requirements of applicable directives.

For ETSI certifications, all Summit certifications may be leveraged by mobile and portable device vendors as part of their self-declaration to obtain the CE mark required by members of the European Union.

Note: ETSI/CE rules differ from those of the FCC and IC in that there is no provision for a modular approval. All approvals and certifications must exist at the device, rather than the radio module, level.

In some situations, the module's current test reports may not be adequate to support a DoC for the end product:

  • Environmental extremes - The host (end) product may be marketed for a higher or different temperature range or a different voltage range than what was included in the module's original testing.
  • Antenna - The antenna gain used by the host product may be different than with module's original test reports.
  • Software - The host product may not fully incorporate some of the features present in the operating software used in the original module tests.
  • Module modifications - The integrator may have to modify the module to allow it to operate properly in the host system. If so, the integrator must have a thorough understanding of the impact the changes may have on each of the module tests.

Current versions of ETSI certifications:

  • EN 300 328  (v1.7.1)
  • EN 301 893 (v1.5.1) (a/b/g modules)
  • EN 301 489-1 (v1.8.1) (Council Directive 2004/108/EC on Electromagnetic Compatibility)
  • EN 301 489-17 (v.2.1.1) (Council Directive 2004/108/EC on Electromagnetic Compatibility)
  • EN 60950-1 (2006+A1:2010) (Council Directive 2006/95/EC on Low Voltage Equipment Safety)
  • EN 62311:2008 (Assessment of electronic and electrical equipment related to human exposure restrictions for electromagnetic fields)
  • EU 2002/95/EC (RoHS)

Extensible Firmware Interface (EFI)

Replacement of older BIOS systems and bootstrap loader. EFI defines an interface between an operating system and platform firmware; allows the BIOS to choose the operating system upon loading while also enabling vendors to create drivers that cannot be reverse engineered.

[Top]