Version

EAP (application id: 5)

The Extensible Authentication Protocol (EAP) is an authentication framework that supports multiple authentication mechanisms. EAP can be used on dedicated links, switched circuits, and both wired and wireless links. The Diameter EAP application is based on the Diameter Network Access Server Application (NASREQ) and is intended for environments similar to NASREQ.

In the Diameter EAP application, authentication occurs between the EAP client and its home Diameter server. This end-to-end authentication reduces the possibility of fraudulent authentication, such as replay and man-in-the-middle attacks. End-to-end authentication also provides the possibility for mutual authentication, which is not feasible with PAP and CHAP in a roaming PPP environment.

EAP interface workflow

  1. EAP Initiation
    • The EAP conversation begins when the user initiates EAP within a link layer protocol such as PPP (Point-to-Point Protocol) or IEEE 802.11.
    • The NAS receives this initiation and sends a Diameter-EAP-Request message to the Diameter server, containing an empty EAP-Payload AVP to signify EAP-Start.
  2. EAP-Start Message
    • The Diameter server responds with a Diameter-EAP-Answer message, including an EAP-Payload AVP that encapsulates an EAP packet. 
    • The NAS forwards the EAP payload to the EAP client (User).
  3. Multi-Round EAP Exchange
    • Identity Request and Response: The initial Diameter-EAP-Answer typically includes an EAP-Request/Identity, requesting the user to identify themselves.
    • The user responds with an EAP-Response/Identity, which the NAS forwards as another Diameter-EAP-Request to the Diameter server.
  4. Processing Identity:
    • The Diameter server processes the EAP-Response/Identity and may issue further EAP requests for authentication methods like EAP-TLS.
    • These EAP messages are encapsulated within Diameter-EAP-Request and Diameter-EAP-Answer messages, continuing the exchange until authentication is complete.
  5. Final Authentication Result
    • Upon successful completion of the EAP exchange, the Diameter server sends a final Diameter-EAP-Answer.
    • The Result-Code AVP in this message indicates success or failure, and it may include additional AVPs such as authorization AVPs if required.

For complete technical specification of EAP interface in Diameter protocol please refer to: [RFC4072].

Start innovating with Mobius

What's next? Let's talk!

Mobius Software

As a company you'll get:

  • Get started quickly

  • Support any business model

  • Join millions of businesses

Questions? websupport@mobius.com