EAP

With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism validates a remote access connection. The exact authentication scheme to be used is negotiated by the remote access client and the authenticator (either the remote access server or Internet Authentication Service (IAS) server). You can use EAP to support authentication schemes such as Generic Token Card, MD5-Challenge, Transport Level Security (TLS) for smart card support, and S/Key as well as any future authentication technologies.

EAP allows for an open-ended conversation between the remote access client and the authenticator. The conversation consists of authenticator requests for authentication information and the responses by the remote access client. For example, when EAP is used with security token cards, the authenticator can separately query the remote access client for a name, PIN, and card token value. As each query is asked and answered, the remote access client passes through another level of authentication. When all questions have been answered satisfactorily, the remote access client is authenticated.

A specific EAP authentication scheme is known as an EAP type. Both the remote access client and the authenticator must support the same EAP type for successful authentication to occur.

Windows 2000 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS).

EAP infrastructure

EAP in Windows 2000 is a set of internal components that provide architectural support for any EAP type in the form of a plug-in module. For successful authentication, both the remote access client and authenticator must have the same EAP authentication module installed. Windows 2000 provides two EAP types: EAP-MD5 CHAP and EAP-TLS. You can also install additional EAP types. The components for an EAP type must be installed on every remote access client and every authenticator.

EAP-MD5 CHAP

EAP-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) is a required EAP type that uses the same challenge handshake protocol as PPP-based CHAP, but the challenges and responses are sent as EAP messages.

A typical use for EAP-MD5 CHAP is to authenticate the credentials of remote access clients by using user name and password security systems. You can also use EAP-MD5 CHAP to test EAP interoperability.

EAP-TLS

EAP-Transport Level Security (EAP-TLS) is an EAP type that is used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS exchange of messages provides mutual authentication, negotiation of the encryption method, and secured private key exchange between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key exchange method.

EAP-TLS is only supported on a remote access server running Windows 2000 that is a member of a Windows 2000 mixed-mode or native-mode domain. A remote access server running stand-alone Windows 2000 does not support EAP-TLS.

For information about configuring smart cards for remote access clients, see Using smart cards for remote access

EAP-RADIUS

EAP-RADIUS is not an EAP type, but the passing of EAP messages of any EAP type by an authenticator to a RADIUS server for authentication. For example, for a remote access server that is configured for RADIUS authentication, the EAP messages sent between the remote access client and remote access server are encapsulated and formatted as RADIUS messages between the remote access server and the RADIUS server.

EAP-RADIUS is used in environments where RADIUS is used as the authentication provider. An advantage of using EAP-RADIUS is that EAP types do not need to be installed at each remote access server, only at the RADIUS server. In the case of an IAS server, you only need to install EAP types on the IAS server.

In a typical use of EAP-RADIUS, a Windows 2000 remote access server is configured to use EAP and to use an IAS server for authentication. When a connection is made, the remote access client negotiates the use of EAP with the remote access server. When the client sends an EAP message to the remote access server, the remote access server encapsulates the EAP message as a RADIUS message and sends it to its configured IAS server. The IAS server processes the EAP message and sends a RADIUS-encapsulated EAP message back to the remote access server. The remote access server then forwards the EAP message to the remote access client. In this configuration, the remote access server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the IAS server.

For more information about configuring a Windows 2000 remote access server for EAP-RADIUS, see To configure EAP-RADIUS

Enabling EAP

To enable EAP-based authentication, you must do the following:

Enable EAP as an authentication protocol on the remote access server. For more information, see To enable EAP
Enable EAP and, if needed, configure the EAP type on the appropriate remote access policy. For more information, see Introduction to remote access policies and To configure authentication
Enable and configure EAP on the remote access client running Windows 2000. For more information, see Extensible Authentication Protocol (EAP)

note Note

Make sure your network access server (NAS) supports EAP before you enable it on a remote access policy on an IAS server. For more information, see your NAS documentation.