I have been reading a little bit about authentication methods. I have read about RADIUS and about EAP. I just don't understand the connection between them.
RADIUS is a authentication protocol which uses shared secret and other methods to make a safe authentication, and EAP is more of a generic protocol. I know that EAP doesn't do anything on its own (that it's just a framework), and and a more specific type (like EAP-TLS) is used to perform the authentication.
I just don't understand if a authentication process with a client -> authenticator -> authentication server, is supposed to pick one of the protocols or if they are somehow combined.
I am sure I am just getting it completely wrong and would like if someone just briefly explain what I am missing.
Thank you!
EAP is always carried by another protocol. The most common transports between the supplicant (the authenticating user's device) and the NAS (Network Access Server) are IEEE-802.1X EAPOL (EAP Over Lan), PPP (Point to Point Protocol), and IKEv2.
For the link between the NAS (also known at the authenticator in 802.1X parlance) and the RADIUS server, the EAP packets are fragmented on 253-byte boundaries and split into multiple EAP-Message attributes. How EAP is transported over RADIUS is defined by RFC3579.
The NAS will not usually snoop on the EAP conversation. For EAP methods providing privacy such as EAP-TLS, EAP-PEAP and EAP-TTLS, snooping will not be productive anyway, as a TLS tunnel will be established between the supplicant and RADIUS server.
When a NAS receives an EAP packet from the supplicant, it will strip off the encapsulation (EAPOL/PPP/IKEv2) and fragment the EAP data into 253-byte chunks. It will then insert the EAP data chunks into a RADIUS Access-Request packet as multiple EAP-Message attributes. The NAS will then send the RADIUS Access-Request packet to the RADIUS server.
The RADIUS server uses the presence of EAP-Message attributes as an indication that it should perform EAP authentication, just like it uses User-Password as a hint that it should perform PAP and CHAP-password as a hint that it should perform CHAP.
The RADIUS server will concatenate the EAP-Message attributes in the order they were received (which is why it's important that proxies not re-order EAP-Message attributes) and will pass the concatenated data off to the code that initialises the EAP state machine.
The EAP code will then formulate its response and encode it as an EAP packet, split that packet up into EAP-Message attributes, and send those attributes back to the NAS in a RADIUS Access-Challenge packet.
A State attribute will also be sent in the challenge. This State attribute will be included in the next Access-Request by the NAS. The state attribute allows the RADIUS server to restore EAP authentication state between multiple rounds of Access-Requests/Access-Challenges. It is usually used as a key into a store of ongoing EAP sessions.
When the NAS receives the Access-Challenge it will re-assemble the EAP-Message attributes, encapsulate the EAP data in EAPOL/PPP/IKEv2, and send the encapsulated data back to the supplicant.
Multiple rounds of Access-Request/Access-Challenge exchanges take place with the NAS acting as a translator.
When the RADIUS server has enough information to make a decision about accepting or rejecting a user, it will send back an EAP-Message containing an EAP-Success/EAP-Failure. The RADIUS server will send this EAP-Message back to the NAS in an Access-Accept or Accept-Reject packet. RFC3579 mandates that EAP-Successes be returned in Access-Accept packets, and EAP-Failures be returned in Access-Reject packets.
When keying material needs to be distributed to the NAS and the supplicant, the keying material for the NAS is provided in the MS-MPPE-Recv-Key and MS-MPPE-Send-Key RADIUS attributes included in the Access-Accept. The supplicant will have received (or derived) the same keying material during the progression of the EAP method. How this keying material is derived differs between EAP methods.
When an Access-Accept packet is sent, it is common to include attributes that tell the NAS how to configure the session. For 802.1X/wireless environments common attributes returned to the NAS are Session-Timeout, which sets a maximum limit on session time, and Tunnel-Private-Group-ID et al (RFC4675), which specifies the untagged VLAN for a session.
In conclusion, RADIUS can be seen as a transport and control (for the NAS) protocol, and EAP can be seen as the actual authentication/authorization protocol running over the top of RADIUS.
Hope this helps!