Enhancing 802.1X authentication with identity providers using EAP-OAUTH and OAuth 2.0

Abstract

EAP-OAUTH is a novel Extensible Authentication Protocol (EAP) method that integrates the OAuth 2.0 framework to provide a secure and flexible authentication mechanism for LANs and WLANs that implement the IEEE 802.1X framework. EAP-OAUTH leverages existing, OAuth 2.0-enabled Identity Providers (IdPs) and their single sign-on (SSO) capabilities, thus offering a streamlined authentication experience for both users and organizations. The advantages of EAP-OAUTH for users include an SSO experience and enhanced privacy, while organizations benefit from simplified identity management, reduced operational costs, consistent security policies, and easier compliance. Furthermore, EAP-OAUTH represents a promising solution for addressing the challenges of authentication in modern wireless networks, such as the deployment of various multi-factor or risk-based, adaptive authentication strategies. This article presents an in-depth analysis of the EAP-OAUTH method, its design, implementation, and use cases in enterprise networks and public hotspots. It explores the OAuth 2.0 Device Authorization Grant flow and allows network clients to perform fast re-authentications without resorting to sessions on IdPs or even their SSO features. The implementation of EAP-OAUTH is demonstrated in real-world scenarios, using two IdPs (Google and Auth0), confirming its effectiveness, suitable performance and compatibility with various components of typical Wi-Fi infrastructures.