This chapter covers Extensible Authentication Protocol (EAP) methods used with 802.1X for network access control, a key topic in CompTIA Network+ N10-009 Objective 4.2 (Network Security). Understanding EAP methods is critical because they determine how user or device credentials are exchanged and secured during authentication. Expect 2-4 exam questions that test your ability to differentiate EAP methods, identify their security properties, and choose the appropriate method for a given scenario.
Jump to a section
Imagine a hotel where guests need to access their rooms, the gym, and the business center. The hotel uses a key card system. When a guest checks in, they present their ID (credentials) at the front desk (authentication server). The front desk verifies the ID against their reservation database (RADIUS server or Active Directory). If valid, they issue a key card programmed with the guest's room number and access permissions (VLAN assignment, ACL). The door lock (authenticator/switch port) doesn't know the guest's identity; it just checks if the key card is valid by reading the magnetic stripe and verifying with the front desk via a secure line (EAP over RADIUS). The key card uses encryption to prevent cloning (EAP-TLS with certificates). If a guest tries to use a card from another hotel (wrong EAP method), the lock rejects it. The front desk can revoke access by deactivating the card in their system (dynamic VLAN change or session termination). This mirrors 802.1X: the supplicant (guest) presents credentials, the authenticator (switch/AP) proxies them to the authentication server (RADIUS), which decides access and returns attributes like VLAN or ACL.
What is EAP and Why Does It Exist?
Extensible Authentication Protocol (EAP) is an authentication framework defined in RFC 3748, not a single protocol. It provides a standardized mechanism for network access authentication, allowing various authentication methods to be used within the same framework. EAP operates at the data link layer, enabling authentication before the network layer is established. In 802.1X, EAP is used to authenticate devices and users attempting to connect to a network via a switch port or wireless access point.
How EAP Works with 802.1X
The 802.1X standard (IEEE 802.1X-2010) defines a port-based network access control mechanism. It uses three main entities: - Supplicant: The client device requesting access (e.g., laptop, smartphone). - Authenticator: The network device that enforces access control (e.g., switch, wireless access point). - Authentication Server (AS): Typically a RADIUS server that validates credentials and authorizes access.
EAP messages are encapsulated in 802.1X frames between the supplicant and authenticator, and then relayed to the authentication server using RADIUS (or Diameter). The authenticator acts as a pass-through, forwarding EAP packets without interpreting them.
Common EAP Methods for N10-009
#### 1. EAP-MD5 (Challenge-Handshake Authentication Protocol using MD5) - RFC: 3748, Section 7.1 - How it works: The server sends a challenge (random number) to the supplicant. The supplicant hashes the challenge with its password using MD5 and sends the result back. The server compares this with its own hash. - Security: Weak. No mutual authentication (server not authenticated to client). Vulnerable to man-in-the-middle attacks, dictionary attacks, and password cracking. Does not support dynamic key generation for encryption. - Exam relevance: Rarely used in production; mostly historical. Know that it is the weakest EAP method and should be avoided.
#### 2. EAP-TLS (Transport Layer Security) - RFC: 5216 - How it works: Both the server and client must present digital certificates (X.509) to each other. A TLS tunnel is established after mutual certificate validation. The server verifies the client certificate, and the client verifies the server certificate. - Security: Very strong. Provides mutual authentication, certificate-based, and supports dynamic key generation for encryption (WPA2/WPA3). It is the gold standard for 802.1X. - Deployment challenge: Requires a Public Key Infrastructure (PKI) to issue and manage certificates on every client device. This can be complex and costly. - Exam relevance: You will likely see questions about EAP-TLS being the most secure but requiring certificates.
#### 3. EAP-TTLS (Tunneled Transport Layer Security) - RFC: 5281 - How it works: Only the server must present a certificate to the client to establish a TLS tunnel. Inside this encrypted tunnel, the client can authenticate using other methods (e.g., PAP, CHAP, MS-CHAPv2, or even EAP itself). This protects legacy authentication protocols from eavesdropping. - Security: Strong. The outer tunnel ensures confidentiality; inner authentication can be weak (e.g., PAP) but is protected. Mutual authentication is achieved because the client authenticates inside the tunnel after verifying the server certificate. - Exam relevance: EAP-TTLS is often compared to PEAP. Know that EAP-TTLS does not require client certificates, making it easier to deploy than EAP-TLS.
#### 4. PEAP (Protected Extensible Authentication Protocol) - Developed by: Microsoft, Cisco, RSA - How it works: Similar to EAP-TTLS. Creates a TLS tunnel using a server certificate. Inside the tunnel, it uses EAP-MS-CHAPv2 or EAP-GTC for client authentication. - Versions:
PEAPv0: Uses EAP-MS-CHAPv2 as the inner method (most common).
PEAPv1: Uses EAP-GTC (Generic Token Card) for one-time passwords.
Security: Strong. The outer TLS tunnel protects the inner authentication. Server certificate is required; client certificate is optional.
Exam relevance: PEAP is widely used in Windows environments. It is often compared to EAP-TTLS. The key difference: PEAP always uses EAP as the inner method, while EAP-TTLS can use non-EAP methods.
#### 5. EAP-FAST (Flexible Authentication via Secure Tunneling) - Developed by: Cisco - How it works: Uses a Protected Access Credential (PAC) instead of a certificate to establish a TLS tunnel. The PAC is a shared secret distributed to the client either manually or via an automatic provisioning process. - Versions:
EAP-FASTv1: Supports server-side certificate authentication optionally.
EAP-FASTv2: Adds client certificate authentication.
Security: Strong when properly configured. The PAC is a pre-shared key that can be compromised if not protected.
Exam relevance: EAP-FAST is Cisco proprietary but widely deployed in Cisco wireless environments. It avoids the need for a PKI.
#### 6. LEAP (Lightweight Extensible Authentication Protocol) - Developed by: Cisco (pre-802.1X standard) - How it works: Uses MS-CHAPv2 for mutual authentication but without a TLS tunnel. The server sends a challenge, the client responds with a hash, and then the client challenges the server. - Security: Weak. MS-CHAPv2 is vulnerable to dictionary attacks and offline cracking. No encryption of the authentication process. Should not be used. - Exam relevance: Legacy protocol. Know that LEAP is deprecated and insecure.
Key Components, Values, and Defaults
EAP Identity: The first EAP packet is typically an Identity Request from the server. The client responds with a username (e.g., "user@domain.com"). This is sent in cleartext unless protected by an outer tunnel.
EAP Types: Each EAP method has a Type Code assigned by IANA. For example:
- EAP-MD5: Type 4 - EAP-TLS: Type 13 - EAP-TTLS: Type 21 - PEAP: Type 25 - EAP-FAST: Type 43 - RADIUS Attributes: EAP messages are encapsulated in RADIUS Access-Request, Access-Challenge, Access-Accept, and Access-Reject packets. The EAP-Message attribute carries the EAP payload. - Timers: The authenticator typically uses a timeout of 30 seconds for EAP requests. If no response, it retries up to 2-3 times before failing authentication.
Configuration and Verification Commands
On a Cisco switch (IOS), 802.1X configuration might look like:
! Enable AAA
aaa new-model
aaa authentication dot1x default group radius
! Configure RADIUS server
radius server RADIUS_SERVER
address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
key mysecretkey
! Enable 802.1X on an interface
interface GigabitEthernet0/1
switchport mode access
authentication port-control auto
dot1x pae authenticator
! Verify
show authentication sessions
show dot1x allFor wireless (Cisco WLC), EAP methods are configured in the security profile under 802.1X authentication.
Interaction with Related Technologies
RADIUS: The authentication server typically uses RADIUS to communicate with the authenticator. EAP messages are carried as RADIUS attributes (EAP-Message, Message-Authenticator).
VLAN Assignment: After successful authentication, the RADIUS server can return a Tunnel-Private-Group-ID attribute to assign the client to a specific VLAN.
Dynamic ACL: RADIUS can also return ACL attributes to filter traffic per user.
MAB (MAC Authentication Bypass): For devices that do not support 802.1X, MAC address authentication can be used as a fallback.
Guest VLAN and Critical VLAN: If authentication fails or the RADIUS server is unreachable, the switch can place the client in a restricted VLAN.
Security Considerations
Man-in-the-Middle: Without mutual authentication, attackers can impersonate the server. Methods with server-side certificates (EAP-TLS, PEAP, EAP-TTLS) prevent this.
Session Hijacking: After authentication, the client and server derive session keys (e.g., PMK for WPA2) to encrypt data. Weak methods like LEAP do not generate keys securely.
Certificate Validation: For EAP-TLS, clients must validate the server certificate against a trusted CA. Failure to do so allows fake access points.
Inner Method Security: In tunneled methods, the inner authentication should be strong (e.g., MS-CHAPv2). Using PAP inside the tunnel is still protected but not ideal.
Exam-Specific Details
CompTIA Network+ N10-009 expects you to know the differences between EAP methods, especially which require certificates and which provide mutual authentication.
Common exam scenario: "A company wants to deploy 802.1X without issuing certificates to clients. Which EAP method should they use?" Answer: PEAP or EAP-TTLS.
Another scenario: "Which method is the most secure?" Answer: EAP-TLS.
Remember: LEAP and EAP-MD5 are weak and should not be used in modern networks.
Supplicant connects to network
When a client device connects to an 802.1X-enabled switch port or wireless network, the port is in an unauthorized state (only 802.1X traffic allowed). The authenticator (switch/AP) detects the link up event and sends an EAP-Request/Identity packet to the supplicant. This triggers the authentication process. At the packet level, the switch sends a multicast EAPOL (EAP over LAN) frame to the supplicant's MAC address. The supplicant must respond within a timeout (default 30 seconds) or the port remains blocked.
Supplicant sends identity
The supplicant responds with an EAP-Response/Identity packet containing a username (e.g., "jdoe@example.com"). This identity is sent in cleartext unless the EAP method later creates a tunnel. The authenticator receives this packet and encapsulates it in a RADIUS Access-Request packet (with EAP-Message attribute) and forwards it to the RADIUS server. The RADIUS server uses this identity to look up the user's authentication method.
RADIUS server challenges supplicant
Based on the configured EAP method, the RADIUS server sends an EAP-Request packet (e.g., an EAP-TLS Server Hello or a challenge for EAP-MD5). This is encapsulated in a RADIUS Access-Challenge message. The authenticator forwards the EAP-Request to the supplicant. The supplicant must process the request and generate an appropriate response. For certificate-based methods, this step involves exchanging certificate chains.
EAP authentication exchange
Multiple EAP request/response exchanges occur until authentication is complete. For example, in EAP-TLS, this includes certificate validation, cipher suite negotiation, and key exchange. In PEAP, a TLS tunnel is established first, then inner EAP authentication (e.g., MS-CHAPv2) occurs inside the tunnel. Each EAP packet is relayed through the authenticator. The authenticator does not interpret these packets; it simply forwards them.
RADIUS server sends accept or reject
After successful authentication, the RADIUS server sends an Access-Accept packet containing an EAP-Success message. This packet may also include authorization attributes like VLAN assignment (Tunnel-Private-Group-ID) or ACL. If authentication fails, an Access-Reject with EAP-Failure is sent. The authenticator then changes the port state: for success, the port becomes authorized and normal traffic is allowed; for failure, the port remains blocked or is placed in a guest VLAN.
Enterprise Scenario 1: Corporate Wireless Network with EAP-TLS
A large enterprise with 10,000 employees deploys a wireless network using 802.1X and EAP-TLS. Each employee laptop is issued a machine certificate from the internal PKI (Active Directory Certificate Services). When a user connects to the corporate SSID, the supplicant (Windows native Wi-Fi client) initiates EAP-TLS. The RADIUS server (e.g., NPS) validates the client certificate against the CA and checks revocation status via CRL/OCSP. After mutual authentication, the server derives a Pairwise Master Key (PMK) used for WPA2-Enterprise encryption. The user is placed in the corporate VLAN (VLAN 10) with full network access. This setup is highly secure but requires significant PKI management. Common issues include expired certificates, incorrect CRL distribution points, and supplicant misconfiguration (e.g., not validating server certificate). Performance is excellent; each authentication takes about 1-2 seconds.
Enterprise Scenario 2: University Campus with PEAP
A university with 30,000 students uses PEAP-MS-CHAPv2 for its eduroam wireless network. Students authenticate using their university credentials (username and password). The server presents a certificate signed by a public CA (e.g., DigiCert). Students' devices (phones, laptops) are configured to trust the server certificate. Inside the TLS tunnel, MS-CHAPv2 exchanges password hashes. This method is easier to deploy than EAP-TLS because no client certificates are needed. However, password security is weaker; compromised passwords can lead to unauthorized access. The university implements account lockout and multi-factor authentication for critical systems. Common problems: users not trusting the server certificate (causes connection failures), and some legacy devices not supporting PEAP.
Enterprise Scenario 3: Wired 802.1X with EAP-FAST
A Cisco-centric manufacturing plant uses EAP-FAST for wired switch port security. Employees plug their laptops into Ethernet jacks. The switch (Cisco Catalyst) is configured for 802.1X with EAP-FAST. The RADIUS server is Cisco ISE. Clients are provisioned with a PAC (Protected Access Credential) via automatic provisioning (EAP-FASTv1). The PAC is stored securely on the client. When connecting, the client and server establish a TLS tunnel using the PAC, then authenticate using MS-CHAPv2 inside. This avoids the need for a PKI. The plant uses dynamic VLAN assignment: engineering VLAN for engineers, guest VLAN for visitors. Issues: PAC expiration and manual provisioning for non-Cisco devices.
What N10-009 Tests on EAP Methods (Objective 4.2)
CompTIA Network+ N10-009 expects you to:
Identify the characteristics of common EAP methods (EAP-TLS, PEAP, EAP-TTLS, EAP-FAST, LEAP, EAP-MD5).
Choose the appropriate EAP method based on security requirements and deployment constraints.
Understand that EAP-TLS requires certificates on both server and client.
Know that PEAP and EAP-TTLS require only a server certificate.
Recognize that LEAP and EAP-MD5 are deprecated due to security weaknesses.
Understand that EAP-FAST uses a PAC instead of certificates.
Common Wrong Answers and Why Candidates Choose Them
Choosing EAP-TLS for a scenario with no PKI: Candidates see 'most secure' and pick EAP-TLS, forgetting it needs client certificates. The correct answer is usually PEAP or EAP-TTLS.
Confusing PEAP and EAP-TTLS: Both use a TLS tunnel with server certificate. The exam may ask which uses EAP as the inner method (PEAP always does; EAP-TTLS can use other methods).
Thinking LEAP is acceptable: LEAP is still found in legacy environments, but the exam considers it insecure. Candidates may pick it if they don't know it's deprecated.
Assuming EAP-MD5 provides mutual authentication: It does not; only server authenticates. Candidates might think it's mutual because of the challenge-response.
Specific Numbers and Terms That Appear Verbatim
EAP-TLS: RFC 5216, mutual certificate authentication.
PEAP: Developed by Microsoft, Cisco, RSA; inner method EAP-MS-CHAPv2.
EAP-TTLS: RFC 5281; inner authentication can be PAP, CHAP, MS-CHAPv2, or EAP.
EAP-FAST: Cisco proprietary; uses PAC.
LEAP: Cisco proprietary; uses MS-CHAPv2; deprecated.
EAP-MD5: Type 4; no mutual authentication.
Edge Cases the Exam Tests
What if a device does not support 802.1X? Use MAC Authentication Bypass (MAB) as fallback.
What if the RADIUS server is unreachable? Critical VLAN or last resort VLAN.
What if the client certificate is expired? EAP-TLS will fail.
Can EAP-TTLS use certificates for inner authentication? Yes, but it's not required.
How to Eliminate Wrong Answers
If the question says "no PKI" or "no client certificates," eliminate EAP-TLS and EAP-FAST (which may require PAC provisioning).
If the question says "most secure," choose EAP-TLS.
If the question mentions "Cisco," EAP-FAST or LEAP might be referenced.
If the question says "legacy" or "weak," choose LEAP or EAP-MD5.
Always check for mutual authentication requirement: only EAP-TLS, PEAP, EAP-TTLS, and EAP-FAST provide it (EAP-MD5 and LEAP do not).
EAP-TLS requires certificates on both client and server; it is the most secure but most complex to deploy.
PEAP and EAP-TTLS require only a server certificate; they use a TLS tunnel to protect inner authentication.
EAP-TTLS can encapsulate non-EAP protocols inside the tunnel; PEAP always uses EAP as the inner method.
EAP-FAST uses a PAC (Protected Access Credential) instead of certificates; it is Cisco proprietary.
LEAP and EAP-MD5 are deprecated due to security weaknesses; they should not be used in modern networks.
The authenticator (switch/AP) relays EAP messages between supplicant and RADIUS server without interpretation.
After successful authentication, the RADIUS server can return VLAN or ACL attributes for dynamic access control.
These come up on the exam all the time. Here's how to tell them apart.
EAP-TLS
Requires certificates on both server and client.
Provides mutual authentication via certificate exchange.
Considered the most secure EAP method.
Deployment complexity is high due to PKI requirements.
RFC 5216.
PEAP
Requires only a server certificate.
Provides mutual authentication via TLS tunnel + inner EAP.
Inner method is typically EAP-MS-CHAPv2 (password-based).
Easier to deploy than EAP-TLS; no client certificates needed.
Developed by Microsoft, Cisco, RSA.
Mistake
EAP-MD5 provides mutual authentication.
Correct
EAP-MD5 only authenticates the client to the server; the server is not authenticated to the client. This allows man-in-the-middle attacks where a fake server can capture credentials.
Mistake
PEAP and EAP-TTLS are identical.
Correct
PEAP always uses EAP as the inner authentication method (e.g., EAP-MS-CHAPv2), while EAP-TTLS can encapsulate any authentication protocol (PAP, CHAP, MS-CHAPv2, or even EAP). PEAP was developed by Microsoft and Cisco; EAP-TTLS is defined in RFC 5281.
Mistake
EAP-TLS requires only a server certificate.
Correct
EAP-TLS requires certificates on both the server and the client (mutual certificate authentication). This is a key differentiator from PEAP and EAP-TTLS.
Mistake
LEAP is secure because it uses MS-CHAPv2.
Correct
MS-CHAPv2 is vulnerable to dictionary attacks and offline cracking. LEAP does not use a TLS tunnel, so the authentication exchange is sent in cleartext, making it easy to capture and crack.
Mistake
EAP-FAST requires a PKI.
Correct
EAP-FAST uses a Protected Access Credential (PAC) instead of certificates. While it can optionally use certificates, the main advantage is avoiding a PKI.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EAP-TLS is considered the most secure because it requires certificates on both the server and client, providing mutual authentication and strong encryption. It is the gold standard for 802.1X. However, it requires a PKI to manage certificates, which adds complexity.
Both create a TLS tunnel using a server certificate, but PEAP always uses EAP as the inner authentication method (e.g., EAP-MS-CHAPv2), while EAP-TTLS can encapsulate any authentication protocol (PAP, CHAP, MS-CHAPv2, or even EAP). PEAP is more common in Windows environments.
No. EAP-MD5 only authenticates the client to the server; the server is not authenticated. This makes it vulnerable to man-in-the-middle attacks. It is considered weak and should not be used.
A Protected Access Credential (PAC) is a shared secret used to establish a TLS tunnel in EAP-FAST. It is provisioned to the client either manually or via automatic provisioning. PACs avoid the need for a PKI but must be stored securely.
No. EAP-TLS requires both the server and client to present valid certificates. Without a client certificate, the server cannot authenticate the client, and the method fails. Use PEAP or EAP-TTLS if client certificates are not feasible.
LEAP uses MS-CHAPv2 without a TLS tunnel, so the authentication exchange is sent in cleartext. MS-CHAPv2 is vulnerable to dictionary attacks and offline cracking. Attackers can capture the exchange and crack the password. LEAP is deprecated.
The authenticator can be configured to use a critical VLAN or last resort VLAN, allowing limited network access. Alternatively, the port may remain unauthorized. This is a common exam scenario.
You've just covered EAP Methods for 802.1X — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?