Authenticating a client normally requires a challenge, then a response, then a decision on whether to grant access. The challenge and response can involve a range of encryption keys and algorithms with unique requirements to pass information between the client and access point.
Extensible Authentication Protocol (EAP) provides a framework that allows for building of different types of additional authentication methods.
Extensible Authentication Protocol does not contain any of it’s own authentication methods, but by defining a common set of functions and methods that can be utilised to authenticate a client.
Extensible Authentication Protocol can integrate with 802.1x port based access, limiting access to a network until the client has authenticate.
This means a wireless client may be able to join a wireless network, but won’t get access beyond the wireless access points network port until it has authenticated.
Open Authentication and pre shared keys keep the authentication gate at the access point, but 802.1x allows the client to openly join the access point but the actual authentication for network access is at a network server. 802.1x has a three party system, the supplicant that is the client, the authenticator that is the network device providing access to the network, and the authentication server that takes the clients credentials and permits or denies access based on its policies.
To utilise extension authentication protocol and 802.1x, the enterprise modes of WPA1, WPA2, and WPA3 should be used.
Enterprise mode supports many EAP methods such as LEAP, EAP-FAST, PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM.
Cisco wireless controllers can utilise an external RADIUS server or a local EAP server on the wireless controller itself for authentication with 802.1x