EAP-TTLS/EAP-OTP ==================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS/EAP-OTP?** EAP-TTLS/OTP stands for Extensible Authentication Protocol – Tunneled Transport Layer Security with One-Time Password as the inner authentication method. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS/EAP-OTP?** EAP-TTLS/OTP is an authentication method that establishes a secure TLS tunnel between the client and server using EAP-TTLS and then uses a One-Time Password (OTP) mechanism for client authentication within that tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS/EAP-OTP useful?** * Encrypts OTP credentials using TLS tunnel. * Only server certificate is required. * Supports flexible inner authentication methods. * Suitable for legacy systems and multi-factor authentication. * Reduces need for client-side certificate management. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * TLS tunnel is established between client and server using server certificate. * Inside the tunnel, the client sends OTP credentials (e.g., time-based or token-generated). * Server validates the OTP via backend. * On success, session keys are derived, and access is granted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS/EAP-OTP used?** * Enterprise Wi-Fi networks. * Secure remote access (VPNs). * Authentication systems using soft/hardware OTP tokens (e.g., Google Authenticator, RSA SecurID). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Application Layer (Layer 7). * Runs on top of EAP encapsulated in lower layer protocols. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS/EAP-OTP Windows specific?** * No, it is platform-independent. * Support may require third-party supplicants on Windows (e.g., SecureW2, Cisco AnyConnect). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS/EAP-OTP Linux specific?** * No, supported on Linux using tools like `wpa_supplicant` and `FreeRADIUS`. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS/EAP-OTP?** * EAP over: * EAPOL (Ethernet) * RADIUS (UDP) * Diameter (TCP/SCTP) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS/EAP-OTP?** * RADIUS: UDP port 1812 * Diameter: TCP port 3868 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS/EAP-OTP using Client server model?** * Yes. * Client (supplicant) and Authentication Server via Authenticator (e.g., Access Point or switch). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS/EAP-OTP protocol uses certificates?** * Yes, server certificate is required. * Client certificate is not required for OTP authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS/EAP-OTP protocol?** * Typically 10–12 EAP messages, depending on TLS handshake and OTP exchange. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS/EAP-OTP Protocol uses client certificates?** * No, OTP method does not require client certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS/EAP-OTP Protocol uses Server Certificates?** * Yes, a valid server certificate is essential to initiate the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS/EAP-OTP Protocol depend on TCP?** * Indirectly, when Diameter is used. * EAP-TTLS itself is transport independent. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS/EAP-OTP Protocol depend on UDP?** * Yes, when RADIUS backend is used (which is typical). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS/EAP-OTP Protocol?** * Supplicant (client) * Authenticator (e.g., Access Point) * Authentication Server (e.g., FreeRADIUS with OTP support) * Certificate Authority (for server certificate) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS/EAP-OTP Protocol work with FreeRADIUS server on Linux?** * Yes, FreeRADIUS fully supports EAP-TTLS and can integrate with OTP modules like Google Authenticator or OPIE. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS/EAP-OTP Protocol work with internal RADIUS server of hostapd?** * No, hostapd’s internal RADIUS server does not support EAP-TTLS or OTP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-TTLS/EAP-OTP Protocol?** * EAP-TTLS: Defined in RFC 5281. * OTP methods: Follow RFC 2289 or proprietary implementations like TOTP (RFC 6238). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPOL Packets are encrypted?** * EAPOL packets are not encrypted. * Inner authentication (OTP) is encrypted inside the TLS tunnel established by EAP-TTLS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS/EAP-OTP Protocol?** * Client sends EAP Identity. * Server initiates EAP-TTLS TLS handshake. * TLS tunnel is established using server certificate. * Client provides OTP credentials inside the tunnel. * Server verifies OTP against backend. * EAP Success is sent on successful auth. * Keys are derived and handed to the authenticator. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * Master Session Key (MSK) and Extended Master Session Key (EMSK) are generated. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * MSK: 64 bytes (512 bits) * EMSK: 64 bytes (512 bits) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_EAP_OTP Version&IEEE Details ` * :ref:`EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_EAP_OTP Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_OTP Protocol Packet Details ` * :ref:`EAP_TTLS_EAP_OTP Usecases ` * :ref:`EAP_TTLS_EAP_OTP Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_EAP_OTP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_EAP_OTP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_EAP_OTP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_EAP_OTP_step5: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP Version&RFC Details * rfc details .. _EAP_TTLS_EAP_OTP_step18: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_OTP_step19: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_EAP_OTP_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_OTP_step6: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP Protocol Packet Details * packet details .. _EAP_TTLS_EAP_OTP_step7: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP Usecases * usecases .. _EAP_TTLS_EAP_OTP_step8: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_OTP Basic Features * features .. _EAP_TTLS_EAP_OTP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links