Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, LEAP and EAP-TTLS.
The Lightweight Extensible Authentication Protocol (LEAP) method was developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.
LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected and easily compromised; an exploit tool called ASLEAP was released in early 2004 by Joshua Wright.
Cisco's current recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP, or EAP-TLS.
EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software.
[5] There are client and server implementations of EAP-TLS in 3Com, Apple, Avaya, Brocade Communications, Cisco, Enterasys Networks, Fortinet, Foundry, Hirschmann, HP, Juniper, Microsoft, and open source operating systems.
[6][7] Some have identified this as having the potential to dramatically reduce adoption of EAP-TLS and prevent "open" but encrypted access points.
[6][7] On 22 August 2012 hostapd (and wpa_supplicant) added support in its Git repository for an UNAUTH-TLS vendor-specific EAP type (using the hostapd/wpa_supplicant project RFC 5612 Private Enterprise Number),[8] and on 25 February 2014 added support for the WFA-UNAUTH-TLS vendor-specific EAP type (using the Wi-Fi Alliance Private Enterprise Number),[9][10] which only do server authentication.
[11] The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off.
It offers minimal security; the MD5 hash function is vulnerable to dictionary attacks, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise.
[14] EAP Protected One-Time Password (EAP-POTP), which is described in RFC 4793, is an EAP method developed by RSA Laboratories that uses one-time password (OTP) tokens, such as a handheld hardware device or a hardware or software module running on a personal computer, to generate authentication keys.
EAP-POTP can be used to provide unilateral or mutual authentication and key material in protocols that use EAP.
EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography.
Supporting TTLS on these platforms requires third-party Encryption Control Protocol (ECP) certified software.
Flexible Authentication via Secure Tunneling (EAP-FAST; RFC 4851) is a protocol proposal by Cisco Systems as a replacement for LEAP.
This is a requirement in RFC 4851 sec 7.4.4 so if a new user logs on the network from a device, a new PAC file must be provisioned first.
Cisco supplies an EAP-FAST module[25] for Windows Vista[26] and later operating systems which have an extensible EAPHost architecture for new authentication methods and supplicants.
[27] Tunnel Extensible Authentication Protocol (TEAP; RFC 7170) is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel.
GSM cellular networks use a subscriber identity module card to carry out user authentication.
In EAP-SIM the communication between the SIM card and the Authentication Centre (AuC) replaces the need for a pre-established password between the client and the AAA server.
EAP-GTC carries a text challenge from the authentication server, and a reply generated by a security token.
Authentication for this EAP method is based on a user-assisted out-of-band (OOB) channel between the server and peer.
EAP-NOOB supports many types of OOB channels such as QR codes, NFC tags, audio etc.
and unlike other EAP methods, the protocol security has been verified by formal modeling of the specification with ProVerif and MCRL2 tools.
[29] EAP-NOOB performs an Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) over the in-band EAP channel.
Users can transfer the OOB message from the peer to the server, when for example, the device is a smart TV that can show a QR code.
Alternatively, users can transfer the OOB message from the server to the peer, when for example, the device being bootstrapped is a camera that can only read a QR code.
[36] When EAP is invoked by an 802.1X enabled Network Access Server (NAS) device such as an IEEE 802.11i-2004 Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session utilizing TKIP or CCMP (based on AES) encryption.
PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.