EAP-TTLS-PAP ============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-PAP?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Password Authentication Protocol. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-PAP?** EAP-TTLS-PAP is an authentication method that establishes a secure TLS tunnel using EAP-TTLS, inside which the PAP protocol is used for transmitting username and password credentials. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-PAP useful?** - Secures otherwise insecure PAP password authentication by encapsulating it inside a TLS tunnel. - Protects credentials from eavesdropping and replay attacks. - Provides compatibility with legacy systems using PAP without exposing plaintext credentials on the network. - Does not require client certificates, easing deployment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. Client and server perform a TLS handshake via EAP-TTLS to create a secure tunnel. 2. Inside this encrypted tunnel, PAP credentials (username and password) are sent from client to server. 3. The server validates the credentials and authenticates the user. 4. Upon success, session keys are derived for securing the connection. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-PAP used?** - Enterprise wireless networks needing to support legacy PAP authentication securely. - Networks transitioning from less secure authentication methods. - Environments where client certificates are not feasible but TLS security is desired. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-PAP windows specific?** No. EAP-TTLS-PAP is supported across multiple platforms, including Windows, Linux, and macOS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-PAP Linux Specific?** No. Supported by Linux supplicants (e.g., wpa_supplicant) and RADIUS servers like FreeRADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-PAP?** - EAPOL (EAP over LAN) between supplicant and authenticator. - RADIUS protocol over UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-PAP?** UDP port 1812 (RADIUS authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-PAP using Client server model?** Yes. Involves client (supplicant), authenticator (access point), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-PAP protocol uses certificates?** Server certificates are mandatory to establish the TLS tunnel. Client certificates are not used. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-PAP protocol?** Approximately 20-30 EAPOL frame exchanges, including TLS handshake and PAP exchange inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-PAP Protocol uses client certificates?** No, client certificates are generally not used. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-PAP Protocol uses Server Certificates?** Yes, server certificates are used to authenticate the server and set up TLS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-PAP Protocol depends on TCP?** Not directly. EAPOL is Layer 2, TLS handshake is over EAP messages, and RADIUS uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-PAP Protocol depends on UDP?** Yes, RADIUS uses UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-PAP Protocol?** - Supplicant with PAP credentials. - Access Point or authenticator. - RADIUS server supporting EAP-TTLS with PAP. - Certificate authority for server certs. - Network analysis tools for debugging. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-PAP Protocol work with free radius server on Linux?** Yes, FreeRADIUS supports EAP-TTLS-PAP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-PAP Protocol work with Internal radius server of hostapd?** Limited support; external RADIUS servers are preferred. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-PAP Protocol?** RFC 5281 (EAP-TTLS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** Only packets inside the TLS tunnel (including PAP credentials) are encrypted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-PAP Protocol?** 1. Client initiates EAP-TTLS and verifies server certificate. 2. TLS tunnel is established. 3. Client sends PAP username and password inside the tunnel. 4. Server verifies credentials. 5. Upon success, PMK is generated. 6. 4-way handshake completes to secure wireless session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** Successful user authentication and derivation of the Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** A 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** The PMK is used during the 4-way handshake to derive encryption keys for securing the wireless data transmission. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_PAP Version&IEEE Details ` * :ref:`EAP_TTLS_PAP FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_PAP FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_PAP Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_PAP Protocol Packet Details ` * :ref:`EAP_TTLS_PAP Usecases ` * :ref:`EAP_TTLS_PAP Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_PAP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_PAP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_PAP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_PAP_step5: .. tab-set:: .. tab-item:: EAP_TTLS_PAP Version&RFC Details * rfc details .. _EAP_TTLS_PAP_step18: .. tab-set:: .. tab-item:: EAP_TTLS_PAP FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_PAP_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_PAP/eap_ttls_pap_freeradius_server.csv :class: tight-table .. _EAP_TTLS_PAP_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_PAP/eap_ttls_pap_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_PAP_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_PAP/eap_ttls_pap_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_PAP ` .. _EAP_TTLS_PAP_step19: .. tab-set:: .. tab-item:: EAP_TTLS_PAP FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_PAP_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_PAP_step6: .. tab-set:: .. tab-item:: EAP_TTLS_PAP Protocol Packet Details * packet details .. _EAP_TTLS_PAP_step7: .. tab-set:: .. tab-item:: EAP_TTLS_PAP Usecases * usecases .. _EAP_TTLS_PAP_step8: .. tab-set:: .. tab-item:: EAP_TTLS_PAP Basic Features * features .. _EAP_TTLS_PAP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links