EAP-PEAP/OTP ============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PEAP/OTP?** EAP-PEAP/OTP stands for Extensible Authentication Protocol – Protected Extensible Authentication Protocol with One-Time Password as inner authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PEAP/OTP?** EAP-PEAP/OTP is an authentication protocol where EAP is encapsulated within a secure TLS tunnel and uses a One-Time Password (OTP) method inside the tunnel for user authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PEAP/OTP useful?** * Protects OTP credentials using TLS encryption. * Avoids exposing OTP to eavesdroppers. * Server certificate ensures trusted communication. * Suitable for two-factor authentication setups. * Flexible and widely supported. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Phase 1: TLS tunnel established using server certificate. * Phase 2: Client sends OTP credential inside encrypted tunnel. * Server validates OTP using backend (e.g., RADIUS with OTP module). * Upon success, session keys are derived for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PEAP/OTP used?** * Enterprise Wi-Fi networks requiring strong authentication. * VPN access with time-based OTP (TOTP/HOTP). * Environments with MFA/2FA policies using OTPs. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Application Layer (Layer 7). * EAP is encapsulated within TLS and transmitted over network transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP/OTP Windows specific?** * No, it is platform-independent. * Windows can support OTP-based PEAP with appropriate RADIUS server configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP/OTP Linux specific?** * No, supported on Linux using tools like `wpa_supplicant` and `FreeRADIUS` with OTP modules (e.g., Google Authenticator, OPIE). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PEAP/OTP?** * EAP over: * EAPOL (Ethernet) * RADIUS (UDP) * Diameter (TCP/SCTP) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PEAP/OTP?** * RADIUS: UDP port 1812 * Diameter: TCP port 3868 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP/OTP using Client server model?** * Yes. * Client (supplicant) communicates with authentication server via authenticator. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP/OTP protocol uses certificates?** * Yes, server certificates are mandatory to establish the TLS tunnel. * Client certificates are not required for OTP authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PEAP/OTP protocol?** * Around 10–12 EAP message exchanges depending on TLS handshake and OTP exchange. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP/OTP Protocol uses client certificates?** * No, OTP-based authentication does not require client certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP/OTP Protocol uses Server Certificates?** * Yes, a valid server certificate is required to establish the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP/OTP Protocol depend on TCP?** * Indirectly, if Diameter is used as backend. * EAP and PEAP themselves are transport agnostic. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP/OTP Protocol depend on UDP?** * Yes, commonly uses RADIUS over UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PEAP/OTP Protocol?** * Supplicant (client) * Authenticator (e.g., Access Point) * Authentication Server (e.g., FreeRADIUS with OTP module) * Certificate Authority (for server certificate) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP/OTP Protocol work with FreeRADIUS server on Linux?** * Yes, FreeRADIUS supports EAP-PEAP and can integrate with OTP plugins. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP/OTP Protocol work with internal RADIUS server of hostapd?** * No, hostapd's internal RADIUS server lacks full support for EAP-PEAP and OTP methods. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-PEAP/OTP Protocol?** * PEAP is defined in drafts (e.g., draft-kamath-pppext-peapv0). * OTP mechanisms follow RFC 2289 (OPIE) or proprietary implementations (e.g., TOTP via RFC 6238). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPOL Packets are encrypted?** * EAPOL packets are not encrypted by themselves. * Inner OTP authentication is encrypted inside the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-PEAP/OTP Protocol?** * Client sends EAP identity. * Server initiates TLS handshake. * TLS tunnel is established with server certificate. * Client submits OTP inside TLS tunnel. * Server validates OTP using backend (e.g., RADIUS + Google Authenticator). * If successful, EAP Success is sent and session keys are derived. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * Generation of Master Session Key (MSK) and Extended MSK (EMSK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * MSK: 64 bytes (512 bits) * EMSK: 64 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PEAP_OTP Version&IEEE Details ` * :ref:`EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PEAP_OTP Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_OTP Protocol Packet Details ` * :ref:`EAP_PEAP_OTP Usecases ` * :ref:`EAP_PEAP_OTP Basic Features ` * :ref:`Reference links ` .. _EAP_PEAP_OTP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PEAP_OTP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PEAP_OTP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PEAP_OTP_step5: .. tab-set:: .. tab-item:: EAP_PEAP_OTP Version&RFC Details * rfc details .. _EAP_PEAP_OTP_step18: .. tab-set:: .. tab-item:: EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_OTP_step19: .. tab-set:: .. tab-item:: EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PEAP_OTP_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_OTP_step6: .. tab-set:: .. tab-item:: EAP_PEAP_OTP Protocol Packet Details * packet details .. _EAP_PEAP_OTP_step7: .. tab-set:: .. tab-item:: EAP_PEAP_OTP Usecases * usecases .. _EAP_PEAP_OTP_step8: .. tab-set:: .. tab-item:: EAP_PEAP_OTP Basic Features * features .. _EAP_PEAP_OTP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links