NanoEAP™

Mocana's open standards based, full-featered, RFC compliant embedded EAP solution.

About NanoEAP

Mocana delivers an open standards based, full featured, RFC compliant embedded Extensible Authentication Protocol (EAP) solution. The Mocana NanoEAP solution offers a complete peer (supplicant) as well as an authenticator that can support pass-through mode and stand-alone mode. Both the supplicant and the authenticator(s) are available individually or as a bundle. The Mocana NanoEAP solution can prevent unauthorized access to your network devices, easily update your security handling, and independently manage multiple users who require unique security configurations. Separate VLANs can be served by separate EAP instances. Upper-layer APIs enable session creation, initialization, statistics collection and provides several callback functions and APIs to configure and monitor a particular EAP session. Lower-layer APIs enable EAP communication over Ethernet, PPP, UDP, or any other protocol.

The NanoEAP model contains the following elements:

  • The peer (supplicant) is the device that needs to connect to the network.
  • The network access server, NAS (also known as the edge device) controls access to the network.
  • The authenticator acts in either stand-alone mode to authenticate the peer (in two-tier authentication models) or in pass-through mode to transmit messages between the peer and an authentication server (in three-tier authentication models).
  • The authentication server contains the data and logic, such as user names, passwords, and access rights, to make decisions about what services a peer is authorized to use.

Currently, there are approximately 40 different EAP methods. Methods defined in IETF RFCs include:

LEAP:The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.

EAP-TLS:EAP-Transport Layer Security or EAP-TLS, defined in RFC 5216, is an IETF open standard, and is well-supported among wireless vendors.

EAP-MD5: defined in RFC 3748, is the only IETF Standards Track based EAP method.

EAP-PSK: defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK).

EAP-TTLS: EAP-Tunneled Transport Layer Security, or EAP-TTLS is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom. It is widely supported across platforms.

EAP-IKEv2: is an EAP method based on the Internet Key Exchange Protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server.

PEAP: is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. It is already widely available in products, and provides very good security. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication.

EAP-FAST: (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems as a replacement for LEAP.[7] The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation.

EAP for GSM: Subscriber Identity is used for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM is defined in RFC 4186.

EAP for UMTS: Authentication and Key Agreement is used for authentication and session key distribution using the Universal Mobile Telecommunications System (UMTS) Universal Subscriber Identity Module (USIM). EAP AKA is defined in RFC 4187