EAP-TTLS-EAP-GTC ================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-EAP-GTC?** EAP-TTLS-EAP-GTC stands for Extensible Authentication Protocol - Tunneled Transport Layer Security - Extensible Authentication Protocol - Generic Token Card. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-EAP-GTC?** It is an authentication protocol combining EAP-TTLS (which provides a secure TLS tunnel) with EAP-GTC as the inner authentication method. EAP-GTC allows transmission of arbitrary text-based tokens such as one-time passwords or challenge-response data inside the secure tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-EAP-GTC useful?** - Enables secure authentication using token cards or password tokens without exposing credentials over the network. - Supports legacy authentication methods securely by tunneling inside TLS. - Useful when client certificates are not deployed. - Flexible and extensible for various authentication tokens. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. TLS tunnel is established between the client and authentication server. 2. Inside the tunnel, the server challenges the client using EAP-GTC. 3. Client responds with the token (e.g., password, OTP). 4. Server verifies and authenticates the client. 5. Upon success, keys are generated for the secure session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-EAP-GTC used?** - Wireless enterprise networks. - VPNs requiring token-based authentication. - Environments needing flexible inner authentication methods with secure tunneling. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-GTC windows specific?** - No, it is platform independent. - Support varies depending on supplicant implementations. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-GTC Linux Specific?** - No, supported by Linux supplicants like wpa_supplicant. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-EAP-GTC?** - EAP over LAN (EAPOL) at Layer 2. - RADIUS (UDP) between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-EAP-GTC?** - UDP port 1812 (RADIUS Authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-GTC using Client server model?** - Yes, involves supplicant (client), authenticator (e.g., AP), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-GTC protocol uses certificates?** - Server certificates are mandatory to establish the TLS tunnel. - Client certificates are typically not required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-EAP-GTC protocol?** - Multiple EAPOL frames for TLS handshake and inner EAP-GTC authentication. - Typically dozens of frames during full authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-GTC Protocol uses client certificates?** - Generally no, authentication relies on tokens inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-GTC Protocol uses Server Certificates?** - Yes, required for TLS tunnel establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-GTC Protocol depends on TCP?** - Not directly; the EAP and EAPOL operate at lower layers. - RADIUS typically uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-GTC Protocol depends on UDP?** - Yes, RADIUS messages are transported via UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-EAP-GTC Protocol?** - Client/Supplicant. - Authenticator (Access Point). - Authentication Server (e.g., FreeRADIUS). - Network analysis tools for capturing packets. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-GTC Protocol work with free radius server on Linux?** - Yes, FreeRADIUS supports EAP-TTLS with inner EAP-GTC. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-GTC Protocol work with Internal radius server of hostapd?** - Limited support; external RADIUS servers like FreeRADIUS are preferred. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-EAP-GTC Protocol?** - EAP-TTLS: RFC 5281. - EAP-GTC: RFC 3748 (EAP base), GTC defined in various drafts. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - Inner authentication messages (EAP-GTC token exchanges) are encrypted. - TLS handshake messages start unencrypted but establish tunnel security. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-EAP-GTC Protocol?** 1. Establish TLS tunnel between client and server. 2. Inside the tunnel, perform EAP-GTC challenge/response token authentication. 3. Server validates tokens and confirms authentication. 4. Generate PMK for securing wireless session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Authentication success/failure status. - Pairwise Master Key (PMK) for securing wireless traffic. - Network access granted upon success. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** - 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** - Used in the 4-way handshake to derive temporal encryption keys. - Secures subsequent wireless communication between client and AP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_EAP_GTC Version&IEEE Details ` * :ref:`EAP_TTLS_EAP_GTC FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_EAP_GTC FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_EAP_GTC Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_GTC Protocol Packet Details ` * :ref:`EAP_TTLS_EAP_GTC Usecases ` * :ref:`EAP_TTLS_EAP_GTC Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_EAP_GTC_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_EAP_GTC_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_EAP_GTC_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_EAP_GTC_step5: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC Version&RFC Details * rfc details .. _EAP_TTLS_EAP_GTC_step18: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_EAP_GTC_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_EAP_GTC/eap_ttls_eap_gtc_freeradius_server.csv :class: tight-table .. _EAP_TTLS_EAP_GTC_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_EAP_GTC/eap_ttls_eap_gtc_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_EAP_GTC_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_EAP_GTC/eap_ttls_eap_gtc_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_EAP_GTC` .. _EAP_TTLS_EAP_GTC_step19: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_EAP_GTC_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_GTC_step6: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC Protocol Packet Details * packet details .. _EAP_TTLS_EAP_GTC_step7: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC Usecases * usecases .. _EAP_TTLS_EAP_GTC_step8: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_GTC Basic Features * features .. _EAP_TTLS_EAP_GTC_step17: .. tab-set:: .. tab-item:: Reference links * Reference links