Editing Extensible Authentication Protocol (section)

==Encapsulation==
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to [[Encapsulation (networking)|encapsulate]] EAP messages within that protocol's messages.<ref>{{cite book | doi=10.1007/0-387-23483-7_189 | chapter=HTTPS, Secure HTTPS | title=Encyclopedia of Cryptography and Security | date=2005 | last1=Pedersen | first1=Torben | pages=268–269 | isbn=978-0-387-23473-1 }}</ref><ref>{{Citation|last=Plumb, Michelle |title=CAPPS : HTTPS Networking|oclc=944514826}}</ref>

===IEEE 802.1X===
{{Main|IEEE 802.1X}}

The encapsulation of EAP over [[IEEE 802]] is defined in [[IEEE 802.1X]] and known as "EAP over LANs" or EAPOL.<ref>{{cite IETF|rfc=3748|title=Extensible Authentication Protocol (EAP)|section=3.3|sectionname=EAP Usage Within IEEE 802}}</ref><ref>{{cite IETF|rfc=3748|title=Extensible Authentication Protocol (EAP)|section=7.12|sectionname=Link Layer}}</ref><ref>IEEE 802.1X-2001, § 7</ref> EAPOL was originally designed for [[IEEE 802.3]] Ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as [[IEEE 802.11]] wireless and [[Fiber Distributed Data Interface]] (ANSI X3T9.5/X3T12, adopted as ISO 9314) in 802.1X-2004.<ref>IEEE 802.1X-2004, § 3.2.2</ref> The EAPOL protocol was also modified for use with [[IEEE 802.1AE]] (MACsec) and [[IEEE 802.1#802.1AR|IEEE 802.1AR]] (Initial Device Identity, IDevID) in 802.1X-2010.<ref>IEEE 802.1X-2010, § 5</ref>

When EAP is invoked by an 802.1X enabled [[Network Access Server]] (NAS) device such as an [[IEEE 802.11i-2004]] Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session utilizing [[Temporal Key Integrity Protocol|TKIP]] or [[CCMP (cryptography)|CCMP]] (based on [[Advanced Encryption Standard|AES]]) encryption.

===PEAP===
{{Main|Protected Extensible Authentication Protocol}}

The [[Protected Extensible Authentication Protocol]], also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated [[Transport Layer Security]] (TLS) [[tunneling protocol|tunnel]].<ref>{{cite IETF|draft=draft-kamath-pppext-peapv0-00|title=Microsoft's PEAP version 0 (Implementation in Windows XP SP1)|section=1.1|sectionname=EAP encapsulation}}</ref><ref name="peapv2-10_abstract">{{Cite IETF|title=Protected EAP Protocol (PEAP) Version 2|draft=draft-josefsson-pppext-eap-tls-eap-10|section=Abstract|nosec=yes}}</ref><ref>{{cite IETF|title=Protected EAP Protocol (PEAP) Version 2|draft=draft-josefsson-pppext-eap-tls-eap-10|section=1|sectionname=Introduction}}</ref> The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.<ref>{{cite IETF|title=Protected EAP Protocol (PEAP) Version 2|draft=draft-josefsson-pppext-eap-tls-eap-07|section=1|sectionname=Introduction}}</ref>

PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. PEAPv0 was the version included with [[Microsoft]] [[Windows XP]] and was nominally defined in [http://tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00]. PEAPv1 and PEAPv2 were defined in different versions of ''draft-josefsson-pppext-eap-tls-eap''. PEAPv1 was defined in [http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-00 draft-josefsson-pppext-eap-tls-eap-00] through [http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-05 draft-josefsson-pppext-eap-tls-eap-05],<ref>{{cite IETF|title=Protected EAP Protocol (PEAP)|draft=draft-josefsson-pppext-eap-tls-eap-05|section=2.3}}</ref> and PEAPv2 was defined in versions beginning with [http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-06 draft-josefsson-pppext-eap-tls-eap-06].<ref>{{cite IETF|title=Protected EAP Protocol (PEAP)|draft=draft-josefsson-pppext-eap-tls-eap-06|section=2.3|sectionname=Version negotiation}}</ref>

The protocol only specifies chaining multiple EAP mechanisms and not any specific method.<ref name="peapv2-10_abstract"/><ref>{{cite IETF|title=Protected EAP Protocol (PEAP) Version 2|draft=draft-josefsson-pppext-eap-tls-eap-10|page=11|sectionname=Protocol Overview}}</ref> Use of the [[EAP-MSCHAPv2]] and [[EAP-GTC]] methods are the most commonly supported.{{Citation needed|date=April 2010}}

===RADIUS and Diameter===
{{Main|RADIUS|Diameter (protocol)}}

Both the [[RADIUS]] and [[Diameter (protocol)|Diameter]] [[AAA protocol]]s can encapsulate EAP messages. They are often used by [[Network Access Server]] (NAS) devices to forward EAP packets between IEEE 802.1X endpoints and AAA servers to facilitate IEEE 802.1X.

===PANA===
{{Main|Protocol for Carrying Authentication for Network Access}}

The [[Protocol for Carrying Authentication for Network Access]] (PANA) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols; for these purposes, EAP will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.

===PPP===
{{Main|Point-to-Point Protocol}}

EAP was originally an authentication extension for the [[Point-to-Point Protocol]] (PPP). PPP has supported EAP since EAP was created as an alternative to the [[Challenge-Handshake Authentication Protocol]] (CHAP) and the [[Password Authentication Protocol]] (PAP), which were eventually incorporated into EAP. The EAP extension to PPP was first defined in {{IETF RFC|2284}}, now obsoleted by {{IETF RFC|3748}}.