Extensible Authentication Protocol

The EAP allows for alternative authentication mechanisms to validate a dial-in connection. The exact authentication method used is negotiated by the dial-in client and the remote access server EAP supports authentication by using:

1. Generic token cards: a physical card that provides passwords. Token cards may use several authentication methods, such as using codes that change with each use (one-time passwords).
2. MD5-CHAP: the Message Digest 5 Challenge Handshake Authentication Protocol (MD5-CHAP) protocol encrypts user names and passwords with an MD5 algorithm.
3. TLS: Transport Layer Security (TLS) is used for smart card (and other) intermediary security devices. Smart cards require a card and reader. The smart card electronically stores the user's certificate and private key. EAP-TLS works only when the RAS Server is a member of a Windows 2000 domain. EAP-TLS will not work on a standalone RAS Server.

Extending authentication methods EAP provides for the extension of the authentication methods that are used for Point-to-Point Protocol (PPP). Through the use of the EAP Application Programming Interfaces (APIs), independent software vendors can supply new client and server authentication modules for technologies such as token cards, smart cards, biometric hardware, and authentication technologies that are not yet developed.