EAP over RADIUS

EAP over RADIUS

EAP over RADIUS is not an EAP type; it is the passing of EAP messages of any EAP type by the access server to a RADIUS server for authentication. An EAP message sent between the access client and access server is formatted as the EAP-Message RADIUS attribute (RFC 2869, section 5.13) and sent in a RADIUS message between the access server and the RADIUS server. The access server becomes a pass-through device, passing EAP messages between the access client and the RADIUS server. EAP message processing occurs at the access client and the RADIUS server, not at the access server. This relationship is shown in Figure 5-6.

Figure 5-6. EAP over RADIUS.

EAP over RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP over RADIUS is that EAP types do not need to be installed at each access server, only at the RADIUS server. However, the access server must support the negotiation of EAP as an authentication protocol and the passing of EAP messages to a RADIUS server.

In a typical use of EAP over RADIUS, the access server is configured to use EAP and to use RADIUS as its authentication provider. Because EAP is part of the IEEE 802.1X standard, you must enable IEEE 802.1X authentication to enable a wireless AP to use EAP.

When a connection attempt is made, the access client negotiates the use of EAP with the access server. When the client sends an EAP message to the access server, the access server encapsulates the EAP message as the EAP-Message attribute of a RADIUS Access-Request message and sends it to its configured RADIUS server. The RADIUS server processes the EAP message in the EAP-Message attribute and sends an EAP response message as a RADIUS Access-Challenge message with the EAP-Message attribute to the access server. The access server then forwards the EAP message to the access client.