EAP PWD provides strong encryption and mutual authentication
between supplicant and server based on a shared password. It is described
in RFC 5931. Based on the per-user password, the server and supplicant
derive strong cryptographic keys and authenticate each others knowledge of
the password. The derived keys can be used for dynamic WEP and WPA
keys.
EAP PWD is highly secure (the password is never transmitted,
even in encrypted form), and does not require PKI certificates, and also
requires only 3 authentication roundtrips. Further, it is not encumbered
by intellectual property issues. So it is considered efficient to roll out
in eduroam and other environments.
Authentication of EAP PWD by
Radiator depends in having access to the user's plain text password. EAP
PWD can be used with any Radiator user database that supports a
User-Password in format like below. Some EAP PWD clients may also support
additional password formats. For more information, see
Section 3.10.58. EAP_PWD_PrepMethod.
:
username User-Passsword=fred
EAP PWD
requires OpenSSL 0.9.8i libraries or later,
Crypt::OpenSSL::EC
and
Crypt::OpenSSL::Bignum
0.06 or later.
Tip
Crypt::OpenSSL::EC
and
Crypt::OpenSSL::Bignum
may not be readily available for
Windows. We recommend Linux or Unix hosts for deployment of EAP
PWD.