EAP-based authentication is a generic protocol standardized by the International Engineering Taskforce (IETF) that offers more comprehensive authentication methods that include credentials such as SIM card and security certificates. EAP framework was originally developed to support authentication over a PPP link, then rapidly adopted by new emerging technologies. Consolidated technologies like IPSec via Internet Key Exchange protocol version 2 and Ethernet via the Port-Based Network resulted in more robust authentication methods. EAP methods are usually transported by the AAA protocols to generate security association through protocols such as IKEv2 or MSCHAP handshake.
Generally, support for EAP methods is available in both AAA server and the device (any 802.11 compliant wireless devices). The EAP peer is the entity that needs to be authenticated and responds to the authenticator. For example, the EAP peer can be a mobile node (client) trying to obtain access to network. The Authenticator (AP) is the entity that requests for EAP peer authentication. The Authenticator can implement different EAP methods in order to verify credentials sent by the EAP peer through the EAP protocol. EAP exchange is between the EAP-peer and AAA server. There are many variants* of EAP authentication methods as described.
In a GSM-based network, the mobile node performs SIM authentication via the standard EAP Remote Access Dial-In User Service (RADIUS) protocol otherwise known as EAP-SIM. The same subscriber provisioning, authentication and service authorization inherits the already in place GSM services without changes to the mobile network elements.
In UMTS based network, EAP-AKA authentication is implemented with a derived binding key function from the access network, typically a Universal Subscriber Identity Module (USIM). The AKA method is based on a challenge-response mechanism for mutual authentication. This limits the effects of compromised access network nodes and keys.
EAP-TLS is defined in RFC5216. The security of the Transport Layer Protocol (TLS) is strong, with the use PKI (public key infrastructure) to secure mutual authentication between the client to server and vice-versa. Both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.
Tunneled TLS EAP method (EAP-TTLS) is very similar to EAP-PEAP in the way it works. It does not require the client be authenticated to the server with a digitally signed certificate by the CA. The server uses the secure TLS tunnel to authenticate the client with password and key exchange mechanism.
*The list not exhaustive. There are many methods defined in the IETF Internet draft. Greenpacket solution supports EAP-SIM, EAP-AKA, EAP-TTLS and EAP-TLS