Multifactor Authentication over EAP
Multifactor authentication is one of the most secure methods for authentication today. This authentication style is often transported by the Extended Authentication Protocol (EAP), which is embedded in multiple EAP-message attribute value pairs within a RADIUS packet.
Subscriber Identity Module (SIM) is another form of “something you have” authentication, as is Transport Layer Security (TLS), which uses client certificates to authenticate.
Tunneled TLS (TTLS) creates a cryptographically secure channel (either with just a server certificate, or both a client and a server certificate) through which other credentials can be sent (such as passwords or token cards) for greater data security for the single factor authentication, which protects against, for example, man-in-the-middle attacks.
EAP has its own negotiation protocol beneath RADIUS. One EAP negotiation can be encapsulated within many RADIUS packets, depending on the key size, the size of cryptographic material being transported, or even the number of EAP protocols supported (each protocol allowed by the server can be rejected by the client, requiring multiple round-trips in poorly optimized clients that disregard hints sent by the server). This, combined with the cryptographic complexity of the inner protocol, can severely impact the required amount of CPU utilization to process a single-user request. There are many ways to lessen this impact while remaining cryptographically secure, which will be described in the following sections.