EAP-PEAP/OTP

What is Expansion of EAP-PEAP/OTP?

EAP-PEAP/OTP stands for Extensible Authentication Protocol – Protected Extensible Authentication Protocol with One-Time Password as inner authentication.

What is EAP-PEAP/OTP?

EAP-PEAP/OTP is an authentication protocol where EAP is encapsulated within a secure TLS tunnel and uses a One-Time Password (OTP) method inside the tunnel for user authentication.

Why is EAP-PEAP/OTP useful?

• Protects OTP credentials using TLS encryption.

• Avoids exposing OTP to eavesdroppers.

• Server certificate ensures trusted communication.

• Suitable for two-factor authentication setups.

• Flexible and widely supported.

How it works?

• Phase 1: TLS tunnel established using server certificate.

• Phase 2: Client sends OTP credential inside encrypted tunnel.

• Server validates OTP using backend (e.g., RADIUS with OTP module).

• Upon success, session keys are derived for secure communication.

Where is EAP-PEAP/OTP used?

• Enterprise Wi-Fi networks requiring strong authentication.

• VPN access with time-based OTP (TOTP/HOTP).

• Environments with MFA/2FA policies using OTPs.

Which OSI layer does this protocol belong to?

• Application Layer (Layer 7).

• EAP is encapsulated within TLS and transmitted over network transport.

Is EAP-PEAP/OTP Windows specific?

• No, it is platform-independent.

• Windows can support OTP-based PEAP with appropriate RADIUS server configuration.

Is EAP-PEAP/OTP Linux specific?

• No, supported on Linux using tools like wpa_supplicant and FreeRADIUS with OTP modules (e.g., Google Authenticator, OPIE).

Which Transport Protocol is used by EAP-PEAP/OTP?

• EAP over: * EAPOL (Ethernet) * RADIUS (UDP) * Diameter (TCP/SCTP)

Which Port is used by EAP-PEAP/OTP?

• RADIUS: UDP port 1812

• Diameter: TCP port 3868

Is EAP-PEAP/OTP using Client server model?

• Yes.

• Client (supplicant) communicates with authentication server via authenticator.

Whether EAP-PEAP/OTP protocol uses certificates?

• Yes, server certificates are mandatory to establish the TLS tunnel.

• Client certificates are not required for OTP authentication.

How many frame exchanges are seen during connection for EAP-PEAP/OTP protocol?

• Around 10–12 EAP message exchanges depending on TLS handshake and OTP exchange.

Whether EAP-PEAP/OTP Protocol uses client certificates?

• No, OTP-based authentication does not require client certificates.

Whether EAP-PEAP/OTP Protocol uses Server Certificates?

• Yes, a valid server certificate is required to establish the TLS tunnel.

Does EAP-PEAP/OTP Protocol depend on TCP?

• Indirectly, if Diameter is used as backend.

• EAP and PEAP themselves are transport agnostic.

Does EAP-PEAP/OTP Protocol depend on UDP?

• Yes, commonly uses RADIUS over UDP.

What are the roles involved when testing EAP-PEAP/OTP Protocol?

• Supplicant (client)

• Authenticator (e.g., Access Point)

• Authentication Server (e.g., FreeRADIUS with OTP module)

• Certificate Authority (for server certificate)

Does EAP-PEAP/OTP Protocol work with FreeRADIUS server on Linux?

• Yes, FreeRADIUS supports EAP-PEAP and can integrate with OTP plugins.

Does EAP-PEAP/OTP Protocol work with internal RADIUS server of hostapd?

• No, hostapd’s internal RADIUS server lacks full support for EAP-PEAP and OTP methods.

What is the RFC version used for EAP-PEAP/OTP Protocol?

• PEAP is defined in drafts (e.g., draft-kamath-pppext-peapv0).

• OTP mechanisms follow RFC 2289 (OPIE) or proprietary implementations (e.g., TOTP via RFC 6238).

During Connection Procedure which EAPOL Packets are encrypted?

• EAPOL packets are not encrypted by themselves.

• Inner OTP authentication is encrypted inside the TLS tunnel.

Can you Explain different stages of Connection Procedure for EAP-PEAP/OTP Protocol?

• Client sends EAP identity.

• Server initiates TLS handshake.

• TLS tunnel is established with server certificate.

• Client submits OTP inside TLS tunnel.

• Server validates OTP using backend (e.g., RADIUS + Google Authenticator).

• If successful, EAP Success is sent and session keys are derived.

What is the final output of Connection Procedure?

• Generation of Master Session Key (MSK) and Extended MSK (EMSK).

What is the format of the key generated after the connection procedure?

• MSK: 64 bytes (512 bits)

• EMSK: 64

Topics in this section,

• Learnings in this section

• Terminology

• Version Info

• EAP_PEAP_OTP Version&IEEE Details

• EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines)

• EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines)

• EAP_PEAP_OTP Internal Radius Server Basic Setup on Ubuntu (2 Machines)

• EAP_PEAP_OTP Protocol Packet Details

• EAP_PEAP_OTP Usecases

• EAP_PEAP_OTP Basic Features

• Reference links

Learnings in this section

• In this section, you are going to learn

Terminology

• Terminology

Version Info

• Version Info

EAP_PEAP_OTP Version&RFC Details

• rfc details

EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (2 Machines)

• setup

EAP_PEAP_OTP FreeRadius Basic Setup on Ubuntu (3 Machines)

• setup

Internal Radius Server Basic Setup on Ubuntu (2 Machines)

• setup

EAP_PEAP_OTP Protocol Packet Details

• packet details

EAP_PEAP_OTP Usecases

• usecases

EAP_PEAP_OTP Basic Features

• features

Reference links

• Reference links