Blog
Extensible Authentication Protocol (EAP) plays a critical role in network security, and managing and measuring the different stages of authentication is essential for ensuring the security and reliability of your network. In this article, we will explore the importance of optimizing EAP and discuss how 7SIGNAL’s RF Sensors can help you do so effectively.
Here’s what we cover in this blog post:
- What Is Extensible Authentication Protocol (EAP)?
- How Does EAP Work and What Makes it "Extensible"?
- What Is the Advantage of EAP?
- How to Optimize EAP with 7SIGNAL RF Sensors
- Total EAP Authentication Success Rate
- Total EAP Successful Authentication Time
- RADIUS Phases
- Radio Authentication Status and Radio Deauthentication Reason
Want to learn more about 7SIGNAL sensors? Chat with our sales team!
What Is Extensible Authentication Protocol (EAP)?
If you’re already familiar with Extensible Authentication Protocol (EAP), feel free to skip ahead. However, to make sure we’re all on the same page, let’s begin with the basics.
An authentication protocol is a set of rules that govern the process of verifying the identity of a user or device attempting to access a network. EAP, meanwhile, is an authentication framework that expands on the Point-to-Point Protocol (PPP), which is commonly used when connecting a computer to the Internet.
EAP provides a secure way to send identifying information for network authentication and is primarily deployed on encrypted wireless networks. It supports multiple authentication methods, including smart cards, biometrics, and digital certificates.
How Does EAP Work and What Makes it "Extensible"?
EAP operates in a client-server model, where the client (i.e. end user device) sends an EAP request to the server, and the server responds with an EAP response. The client and server then exchange messages until the authentication process is complete. Once authentication is complete, the client is granted access to the network.
As for extensibility, EAP can support new authentication methods without requiring any modifications to the core protocol. Instead, EAP packets that provide information about authentication methods are transmitted between the client and the authentication server.
What Is the Advantage Extensible Authentication Protocol (EAP)?
First and foremost, EAP makes networks faster by reducing network congestion. This is achieved by granting access only to users who possess a valid authentication key or password, thereby restricting the number of users on the network.
In addition, EAP optimizes security via mutual authentication (which means both the client and server authenticate one another) and offers more flexibility by supporting a wider variety of authentication methods.
How to Optimize EAP with 7SIGNAL RF Sensors
7SIGNAL’s RF sensors collect real-time EAP insights from your network, including performance data for authentication steps like the number of requests and responses, the time it takes to authenticate users, and more. You can then use this information to identify bottlenecks in your network and optimize authentication processes.
To illustrate, let’s briefly touch on the following insights provided by the 7SIGNAL platform.
- Total EAP Authentication Success Rate
- Total EAP Successful Authentication Time
- RADIUS Phases
- Radio Authentication Status and Radio Deauthentication Reason
Total EAP Authentication Success Rate
This one is pretty straightforward. 7SIGNAL enables you to track the success rate of your network’s EAP authorization. That is, it can tell you the rate at which users are successfully authenticated by your network.
The chart above, which is generated by the 7SIGNAL platform, tracks the authentication rate over time. In this case, authentication is successful nearly 100% of the time, but things do get a little bumpy between 10:00 AM and 2:00 PM.
Needless to say, high rates of success are desirable, but they don’t tell you everything. For example, authentication time is a critical metric for identifying bottlenecks that may not be evident when analyzing successful authentications.
Total EAP Successful Authentication Time
Fortunately, 7SIGNAL sensors can also measure the time it takes to achieve successful EAP authentications, enabling you to spot and address areas of poor performance. Check it out…
This chart tracks how long it took to authenticate individual connection attempts on a particular network. More specifically, the y-axis shows how long it took to authenticate the connection, while the x-axis shows the time of day the connection was attempted.
Overall, the numbers are pretty solid. Authentications averaged one second or less, with only occasional dips in performance. For instance, authentication times soared to 2.75 seconds around midnight.
RADIUS Phases
Next up, RADIUS phases. RADIUS, or Remote Authentication Dial-In User Service, is a widely used authentication protocol and measuring the time it takes for its different phases is essential for identifying bottlenecks and optimizing your network's performance.
7SIGNAL provides performance insights for each of these phases. For example…
- Time from association completed to EAP authentication started:
- Time to EAP proposed method received from the new server:
- Time to EAP method selected:
- Time to EAP peer certificate validation:
By analyzing the performance at each phase of RADIUS, you’ll be able to see if any of these stages are jamming up the authentication process on your network. This will then enable you to troubleshoot how you can best go about addressing the issue.
Radio Authentication Status Codes and Radio Deauthentication Reason Codes
Finally, 7SIGNAL tracks a number of other important KPIs, including Radio Authentication Status Codes and Radio Deauthentication Reason Codes.
Check it out, here’s a chart from the 7SIGNAL dashboard measuring Radio Authentication Status Codes:
This enables you to see how things are actually authenticating. In this case, everything is at Code 0, which means all authentication attempts were successful. For a full list of the different radio authentication codes, check out Cisco’s community pages:
Moving on, you can use the 7SIGNAL dashboard to access similar insights for radio deauthentication reason codes. These provide insight into why users are deauthenticating:
The chart above show’s mostly Code 3s, with some 4s and 5s thrown in for good measure. To see what these deauth codes mean, head back over to Cisco:
And there you have it. Code 3 means the station is leaving (or has left) IBSS or ESS, Code 4 means disassociated due to inactivity, and Code 5 means disassociated because AP is unable to handle all currently associated stations.
Conclusion
Managing and measuring authentication protocols is essential for maintaining the security and reliability of your network. With Sapphire Eye® sensors, you’ll be able to do so effectively by accessing real-time information about the authentication process, measuring the time it takes for successful authentications, measuring different phases of RADIUS, and tracking relevant KPIs like radio authentication, radio deauthentication, and more!
Rather watch a video on this subject?
Learn More From the 7SIGNAL Experts
We’re always here to answer your Wi-Fi questions at 7SIGNAL. Our enterprise Wi-Fi optimization platform help you plan and execute a healthier network. Contact us to learn more.
7SIGNAL® is the leader in enterprise Wi-Fi optimization, providing insight into wireless networks and control over Wi-Fi performance so businesses and organizations can thrive. Our cloud-based platform continually tests and measures Wi-Fi performance at the edges of the network, enabling fast solutions to digital experience issues and stronger connections for mission-critical users, devices, and applications. Learn more at www.7signal.com.