EAP-PAX ========= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PAX?** **EAP-PAX** stands for **Extensible Authentication Protocol - Password-authenticated Exchange**. It is a password-based authentication protocol designed to provide secure mutual authentication and key exchange between a client and a server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PAX?** **EAP-PAX** is an authentication protocol within the **EAP (Extensible Authentication Protocol)** framework. It is designed to allow secure password-based authentication and secure key exchange for mutual authentication over potentially insecure networks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PAX useful?** * Provides **secure mutual authentication** without relying on certificates. * Enables **password-based authentication** with protection against man-in-the-middle attacks. * Suitable for **Wi-Fi networks** and **VPNs**, especially when certificates are not available. * Establishes a **shared secret key** (PMK) for encrypting the session, improving security. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. The **client** sends an authentication request to the **server**. 2. The **server** generates a random challenge and sends it to the client. 3. The **client** hashes its password with the challenge and returns the response. 4. The **server** verifies the response by applying the same hash function. 5. If the verification is successful, both client and server derive a **shared secret key (PMK)**, which is used for securing further communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PAX used?** * **Wi-Fi networks** (e.g., WPA2 Enterprise) for secure wireless authentication. * **VPNs** for secure remote access. * **Enterprise networks** for password-based authentication without requiring certificates. * Environments where **RADIUS** servers are used for centralized authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** **EAP-PAX** operates at the **Application Layer (Layer 7)** of the OSI model. It defines the authentication process and relies on lower OSI layers (such as TCP/UDP) for transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PAX Windows specific?** No, **EAP-PAX** is **not Windows-specific**. It is platform-independent and works across various operating systems, including **Windows**, **Linux**, and **macOS**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PAX Linux Specific?** No, **EAP-PAX** is **not Linux-specific**. It is supported across multiple platforms, including **Windows** and **macOS**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PAX?** EAP-PAX typically uses **UDP** as the transport protocol, especially when integrated with **RADIUS** servers for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PAX?** When **EAP-PAX** is used with **RADIUS**, it generally operates over **UDP port 1812** for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PAX using Client server model?** Yes, **EAP-PAX** uses the **client-server model**. The client sends an authentication request to the server, which challenges the client, verifies the response, and establishes a secure connection. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PAX protocol uses certificates?** No, **EAP-PAX** does not require certificates. It uses password-based authentication, making it suitable for environments where certificates are not practical. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PAX protocol?** **EAP-PAX** typically involves **four** frame exchanges: 1. Client sends the initial authentication request. 2. Server issues a challenge. 3. Client responds to the challenge. 4. Server verifies the response, and both parties derive a **PMK** for further encryption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol use client certificates?** No, **EAP-PAX** does not use client certificates. It relies on password-based mutual authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol use Server Certificates?** No, **EAP-PAX** does not use server certificates. Authentication is based on password hashing and mutual challenge-response. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol depend on TCP?** No, **EAP-PAX** does not rely on **TCP**. It typically uses **UDP** for transport, especially when integrated with RADIUS servers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol depend on UDP?** Yes, **EAP-PAX** uses **UDP** for transport, particularly in environments with RADIUS servers, which is the most common setup. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PAX Protocol?** - **Client**: Initiates the authentication process by sending a request and responding to challenges. - **Server**: Issues challenges, verifies client responses, and authenticates the client. - **Administrator**: Configures the RADIUS server, ensuring proper protocol support and security measures. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol work with FreeRADIUS server on Linux?** Yes, **EAP-PAX** is compatible with **FreeRADIUS** on Linux for password-based authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PAX Protocol work with Internal RADIUS server of hostapd?** Yes, **EAP-PAX** works with the **internal RADIUS server** of **hostapd**, providing secure password-based authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-PAX Protocol?** **EAP-PAX** is specified in **RFC 5931** (Password Authenticated Exchange). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAP packets are encrypted?** In **EAP-PAX**, the **challenge-response packets** are encrypted using the **PMK** (Pairwise Master Key) derived during authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you explain the different stages of Connection Procedure for EAP-PAX Protocol?** 1. **Authentication Request**: The client sends a request to the server. 2. **Challenge**: The server generates a challenge and sends it to the client. 3. **Response**: The client hashes the password with the challenge and sends it back. 4. **Verification**: The server verifies the response and both parties derive a **shared secret key** (PMK) for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** The final output is the successful derivation of the **PMK** (Pairwise Master Key), which is used to secure further communication between the client and server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** The key generated is a **Pairwise Master Key (PMK)**, which is derived from the password and the server’s challenge. The format of the key is a binary string that can be used for encryption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** The **PMK** generated by the connection procedure is used for **encrypting** the data transmitted between the client and server, ensuring secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PAX Version&IEEE Details ` * :ref:`EAP_PAX FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PAX FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PAX Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up AP ` * :ref:`STEP 2: Bring up STA ` * :ref:`EAP_PAX Protocol Packet Details ` * :ref:`EAP_PAX Usecases ` * :ref:`EAP_PAX Basic Features ` * :ref:`Reference links ` .. _EAP_PAX_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PAX_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PAX_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PAX_step5: .. tab-set:: .. tab-item:: EAP_PAX Version&RFC Details * rfc details .. _EAP_PAX_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) .. _EAP_PAX_step21: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PAX/eap_pax_ap_hostapd.csv :class: tight-table .. _EAP_PAX_step22: .. tab-set:: .. tab-item:: STEP 2: Bring up STA .. csv-table:: :file: ./EAP_PAX/eap_pax_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PAX ` .. _EAP_PAX_step19: .. tab-set:: .. tab-item:: EAP_PAX FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PAX_step18: .. tab-set:: .. tab-item:: EAP_PAX FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PAX_step6: .. tab-set:: .. tab-item:: EAP_PAX Protocol Packet Details * packet details .. _EAP_PAX_step7: .. tab-set:: .. tab-item:: EAP_PAX Usecases * usecases .. _EAP_PAX_step8: .. tab-set:: .. tab-item:: EAP_PAX Basic Features * features .. _EAP_PAX_step17: .. tab-set:: .. tab-item:: Reference links * Reference links