802.1X / EAP Quick Reference (with Evil‑Twin Implications)¶

Evil‑Twin exposure (if a client is tricked into talking to a rogue AP/RADIUS):
- None: no reusable secret leaks.
- OTP: one‑time code can be stolen and used immediately.
- Crackable: attacker gets a challenge/response that can be offline‑cracked to recover the password.
- Plaintext: attacker learns the actual password.

Tunnel (Outer) Methods¶

These build a TLS tunnel first, then run an inner method inside it. If clients don’t validate the server certificate, the tunnel protects nothing and inner credentials can be harvested.

Abbrev	Structure	Typical inners	Cred type (inner)	Evil‑Twin exposure when server cert validation fails	Notes
PEAP	Tunnel	EAP‑MSCHAPv2, EAP‑GTC, sometimes EAP‑TLS	Password or OTP or cert (inner)	Crackable (MSCHAPv2), OTP (GTC), None with inner EAP‑TLS	Ubiquitous; simple to deploy with AD passwords (PEAP‑MSCHAPv2).
EAP‑TTLS	Tunnel	PAP, CHAP, MS‑CHAP/v2, EAP (e.g., EAP‑TLS)	Password, OTP, or cert	Plaintext (PAP), Crackable (CHAP/MS‑CHAP/v2), None with inner EAP‑TLS	Very flexible; supports non‑EAP inners.
TEAP	Tunnel	EAP‑MSCHAPv2, EAP‑TLS, others	Password or cert (inner)	Crackable with password inners; None with inner EAP‑TLS	Adds EAP chaining (e.g., machine+user in one run) and cryptobinding; good for onboarding.
EAP‑FAST	Tunnel (TLS‑like via PAC)	EAP‑MSCHAPv2, EAP‑GTC, EAP‑TLS	Password, OTP, or cert	Crackable (MSCHAPv2), OTP (GTC), None with inner EAP‑TLS	Designed as LEAP replacement; supports PAC provisioning.

Direct (Single‑Phase) Methods¶

These authenticate without a tunnel. Evil‑twin risk depends on whether the method provides mutual auth and whether it reveals a reusable secret.

Abbrev	Structure	Cred type	Evil‑Twin exposure	Notes
EAP‑TLS	Direct	Client+server certificates	None (no reusable secret)	Widest vendor support; WPA3‑Enterprise 192‑bit profile uses EAP‑TLS only; TLS 1.3 encrypts client cert for privacy.
EAP‑PWD	Direct	Shared password (PAKE)	None (no reusable secret; resistant to offline attack)	Not common on Wi‑Fi; no server cert required.
EAP‑MD5	Direct	Password (challenge/response)	Crackable; no mutual auth	Obsolete for WLAN; does not derive keying material.
LEAP	Direct	Password (MS‑CHAPv1‑like)	Crackable; no robust mutual auth	Obsolete; replaced by PEAP/EAP‑FAST/EAP‑TLS.
EAP‑SIM	Direct	SIM (2G) long‑term key (Ki)	None (mutual auth; no password to steal)	Used for carrier offload/Passpoint.
EAP‑AKA	Direct	USIM (3G) long‑term key	None	Carrier/Passpoint; stronger than EAP‑SIM.
EAP‑AKA′	Direct	USIM (LTE) long‑term key	None	Modern cellular offload/Passpoint.
EAP‑IKEv2	Direct	Cert or PSK (via IKEv2)	None with cert; PSK depends on policy	Rare in Wi‑Fi; strong but less common.
EAP‑GPSK / EAP‑PSK / EAP‑SAKE	Direct	Symmetric key	None (no password disclosure)	Niche in Wi‑Fi; more common in other access types.

Common Inner Methods (used inside PEAP/TTLS/TEAP/FAST)¶

Abbrev	Type	What’s sent	Evil‑Twin exposure if outer server cert isn’t validated
PAP	Non‑EAP	Plaintext password	Plaintext (attacker learns the password)
CHAP	Non‑EAP	Challenge/response	Crackable (offline)
MS‑CHAPv2	Non‑EAP	Challenge/response	Crackable (offline)
GTC	EAP inner	One‑time code	OTP (steal the code; usually not reusable)
EAP‑TLS (inner)	EAP inner	Cert‑based proof	None; still more complex than using EAP‑TLS directly

Methods and WiFi Type Support¶

Method	WPA2‑E	WPA3‑E (128‑bit)	WPA3‑E (192‑bit/CNSA)	Evil‑Twin exposure (misvalidated server)
EAP‑TLS	Yes	Yes	Required	None
PEAP‑MSCHAPv2	Yes	Yes	No	Crackable
TTLS‑PAP / TTLS‑CHAP / TTLS‑MSCHAPv2	Yes	Yes	No	Plaintext / Crackable
PEAP/TTLS/TEAP with EAP‑TLS inner	Yes	Yes	No	None, but adds complexity
EAP‑FAST‑MSCHAPv2 / FAST‑GTC	Yes	Yes	No	Crackable / OTP
EAP‑MD5 / LEAP	Legacy only	No	No	Crackable
EAP‑SIM/AKA/AKA′	Passpoint/Carrier	Passpoint/Carrier	N/A	None