I want you to think a minute about connecting to something far away. Now normally, we're going to do that through the internet, which is great. But usually when you're connecting to something far away, you're connecting to an application. If you go into Google, you're connecting to a web page. If you're grabbing your email, you're connecting to an email server. If you're playing Counter Strike, you're connecting to a gaming server.
So normally, when you are a client and you're connecting to a server, what you're doing is you're connecting not only to just one computer, but one application within that computer. Now, I want to take that a step further. In this episode, network access control. What I want to talk about is not the idea of simply connecting to one application, but connecting to your ready an entire network. Now, network access control is all over the place. For example, if you're connecting to a wireless network, if you're sitting in a airport and you want to connect to the internet, what you're actually doing first is you're connecting to a wireless network.
Network Access Control. Let's say you have two offices, one in Dallas and one in Houston, and you have a dedicated t three line that you're paying thousands of dollars a month for that's not on the internet. So your own dedicated line, you're actually from one office to the other, creating what we call remote access. And the third Great example would be like a VPN connection. With a VPN, what you're doing is you're sitting on some computer someplace, and you're connecting not to simply one computer, but to your entire local area network via the internet. So in these three cases, you've got some kind of box, some kind of system that's acting as a gatekeeper that you need to get through through some kind of authentication process that allows you to become part of that other network.
Now, to do that, we've got a whole bunch of different ways and that's really what this episode is all about. But to do that, you need to understand that it all started with something a long, long time ago. called Point to Point protocol. Point to Point protocol or PPP was originally designed arguably for dial up networks, anybody old enough out there to remember using a modem to connect to get onto the internet. Keep in mind what you were doing back then is you were connecting your old computer through a modem through a telephone line to another modem to another computer, which then gave you access to a big network called the internet. PPP was an amazing protocol.
It's not used very much anymore today. However, the cornerstone of so much network access control done today started with PPP, and a lot of the traditions and concepts stay with it. So that's why I want to talk about PPP for a moment. PPP or Point to Point protocol was designed primarily to take a computer that only had a phone line and make it look at bark smell taste, like it had some seven mile Ethernet connection over to an internet service provider. So PPP had a lot of jobs. So it was a transport layer protocol.
Jobs where to do things like, for example, initiate the connection. His job was to get an IP address, get a subnet mask and default gateway, interpret that in such a way that this computer here would think that he was connected via a network card. And he would go ahead and make that initial connection. Oh, and by the way, maybe we ought to put some authentication in there. One of the big problems with PPP is that it had very rudimentary authentication mechanisms, it could basically just do passwords. With PPP, you had two choices, you could do what was known as a pap.
So a pap protocol was simply passwords in the clear, so you would simply send data, your passwords were in the clear, and pap was not very exciting. The other alternative and one that we saw for a long, long time was something called chap. Sometimes you'll hear the Microsoft version called ns chap. Check was a little bit better than pap than that it would at least, you would create a connection to the server would make a challenge of some type. Usually that would be the password that was hashed or something like that. And then your computer would send that information that compare the hashes.
And at least it wasn't in the clear, at least it was hashed. So that was wonderful and fantastic. And while we were doing dial up, PPP was the king. However, it didn't take long for people to begin to understand that connecting to a network, we might want something better than just a username and a password. So we began to see and by this time, things like TLS had come along and smart cards were being developed. And what the powers of the internet decided to do was to take PPP, and initially the idea was just to create extensions to PPP, but it really developed into something called EA P. Now EAP is not even really a protocol.
EAP is a framework that's designed to run inside some transport layer protocols. That's actually doing all the work that's moving the data and setting the IP addresses and all that kind of stuff. And it's just handling the authentication stuff. So really EAP was developed initially as an extension to the just the authentication part of PPP. Now, what I want to do right now is run through all the different types of EAP that are out there. EAP is amazing.
And we can do certificates ns smart cards, and we can still use passwords if you want to. So let's take a moment and march through the different EAP methods. The most simple form of EAP is EAP. md five, it's basically just ms chap in that it will take the passwords and hash them into an MT five hash and exchange them. Next is EAP pre shared key. So EAP p SK uses pre determined symmetric key.
So in this case, we'll have two computers each by each computer already has the key typed into it, and then they don't even have to exchange anything. They already have the keys built into them. Anybody who's worked with wireless access points, for example, WPA or WPA two, it's very similar to that. Next is EAP TLS. And Yep, that means that EAP will handle a full blown TLS. However, when you say EAP TLS that requires both a server and a client certificate.
So if I have a computer that wants to connect to a network, and it's using EAP TLS, both of them have to have certificates. EAP TLS uses the TLS exchange method, but in this case, like going to most websites, only the server has a certificate. Now remember, EAP is only an extension to some type of protocol that's actually making the connection. So PPP was great, but PPP was really just a point to point protocol. So as we began to have more important uses for connections, newer transport protocols came along. And to make things a little bit more complicated, some protocols actually pre dated EAP.
So we have a couple of these authentication protocols that actually kind of predate EAP. And kind of have their own little space in the sector. So what I want to do now is go through the different types of protocols that encapsulate EAP. And a couple of weird guys while we're at it. So here's the scenario. Here on the left, I've got a computer that wants to connect to some network now between the network and this computer is going to be some kind of gatekeeper.
This gatekeeper could be a wireless access point. It could be a VPN concentrator, it could be all kinds of stuff, but there's always some box that's going to be between me and the network that wants to get to. So probably the most common place we see EAP used is called 802 dot one x 802 dot one x is a full blown authentication standard that allows us to make connections between Some type of client system, or in this case, I'm going to actually call it the supplicant and my network itself. So in this case, let's say we have a wireless network 802 11. So 802 dot one x, which is also known as EAP over Ethernet or EAP over 802 11 because it works, both with wired and wireless connections just great. Create some form of connection between the supplicant and the authenticator, which I'm going to call this middle box, and then runs EAP within that for the actual authentication itself.
Now, keeping this diagram up, the other place where we can make a connection is between the authenticator and then some kind of authentication server and if you've been watching other episodes, you'll probably recognize that this is radius because radius lives on 802 dot one x. Okay, let's go now and talk about a couple of the weirdos. One of the first weirdoes is something called leap. Leap was invented by Cisco before 802 11 ai standards, the security standards came out. And it's Cisco's high security wireless standard. It's basically EAP with a password within a TLS tunnel.
Leap is no good anymore. We don't use it. And instead, it's been supplanted by something called EAP. Fast. So EAP fast tends to be the where, where we go within a Cisco environment. The last oldie Goldie I want to talk about is something called peep.
Peep was Microsoft's version of EAP. Before EAP came along, peep is designed for all kinds of different network access controls. But it's basically like leap simply EAP communication within a TLS tunnel. And we don't use peep anymore either. The passwords are just too easy to hack. So when it comes to network access control EAP is really the way we go.
I don't care if you're setting up a VPN, if you're setting up a wireless network, whatever you're setting up at some point or another You're going to be running into EAP. And the beautiful part about it is that it takes care of so much for us. It makes life really easy when it comes to authenticating one computer that wants to join a network.