EAP-OTP

What is Expansion of EAP-OTP?

EAP-OTP stands for Extensible Authentication Protocol - One-Time Password.

What is EAP-OTP?

EAP-OTP is an authentication protocol that uses a one-time password mechanism for secure authentication of a client to a server.

Why is EAP-OTP useful?

  • Provides additional security by using passwords that expire after a single use.

  • Mitigates risks of password reuse and replay attacks.

  • Easy to implement with hardware or software token generators.

  • Useful for two-factor authentication scenarios.

How it works?

  • Client generates or receives a one-time password (OTP).

  • OTP is sent to the authentication server during the EAP exchange.

  • Server verifies OTP validity.

  • Authentication succeeds if OTP is valid and unused.

Where is EAP-OTP used?

  • Enterprise wireless networks as an additional authentication method.

  • VPN authentication.

  • Systems requiring two-factor authentication.

Which OSI layer does this protocol belong to?

  • Application Layer (Layer 7) of the OSI model.

  • Operates within the EAP framework carried over network layers.

Is EAP-OTP Windows specific?

  • No, it is platform-independent.

  • Supported through various third-party supplicants on Windows.

Is EAP-OTP Linux specific?

  • No, it is supported on Linux via wpa_supplicant and other tools.

Which Transport Protocol is used by EAP-OTP?

  • Runs over EAP, commonly encapsulated over: * EAPOL (Ethernet) * RADIUS (UDP)

Which Port is used by EAP-OTP?

  • RADIUS authentication: UDP port 1812

Is EAP-OTP using Client server model?

  • Yes.

  • Client (supplicant) sends OTP to Authentication Server for verification.

Whether EAP-OTP protocol uses certificates?

  • No, EAP-OTP typically relies on shared secrets and OTP generation rather than certificates.

How many frame exchanges are seen during connection for EAP-OTP protocol?

  • Typically 4–6 EAP message exchanges depending on the implementation.

Whether EAP-OTP protocol uses client certificates?

  • No, client certificates are not used.

Whether EAP-OTP protocol uses server certificates?

  • No, server certificates are generally not used.

Is EAP-OTP protocol dependent on TCP?

  • No, EAP-OTP is transport agnostic and mostly used over UDP (RADIUS).

Is EAP-OTP protocol dependent on UDP?

  • Yes, commonly used over UDP via RADIUS.

What are the roles involved when testing EAP-OTP protocol?

  • Supplicant (client)

  • Authenticator (e.g., Access Point)

  • Authentication Server (e.g., FreeRADIUS)

Does EAP-OTP protocol work with FreeRADIUS server on Linux?

  • Yes, FreeRADIUS supports EAP-OTP with proper configuration.

Does EAP-OTP protocol work with Internal radius server of hostapd?

  • Support depends on the version; many internal RADIUS servers have limited EAP-OTP support.

What is the RFC version used for EAP-OTP protocol?

  • RFC 4794

During connection procedure which EAPOL packets are encrypted?

  • EAPOL packets themselves are generally not encrypted.

  • OTP is sent securely via RADIUS or other protected transport.

Can you explain different stages of connection procedure for EAP-OTP protocol?

  • Client sends EAP identity request.

  • Server requests OTP from client.

  • Client sends generated OTP.

  • Server verifies OTP.

  • Server sends EAP Success or Failure.

What is the final output of connection procedure?

  • Authentication success or failure based on OTP verification.

Topics in this section,

  • In this section, you are going to learn

  • Terminology

  • Version Info

  • rfc details

  • setup

  • setup

  • setup

  • packet details

  • usecases

  • features

  • Reference links