Extensible Authentication Protocol (EAP) is an authentication framework that supports multiple authentication methods. This allows RADIUS to support new authentication methods without requiring any changes to the RADIUS protocol or RADIUS servers. EAP-POTP defines the method for one-time password (RSA SecurID) authentication and provides the following capabilities within RSA RADIUS:
End-to-end protection of one-time password
Session key derivation for 802.1x (wireless)
Support for token exception cases (for example, New PIN or Next Token code)
Fast session resumption if a wireless connection is lost
EAP-POTP settings define basic parameters for keying material (and keys) protecting one-time passwords used for authentication.
The default values balance security (cryptographic strength) with system responsiveness and are considered satisfactory for most environments. You may increase or decrease EAP-POTP default values. However, even slight changes to values used for key generation may cause a large change in response time during authentication. EAP-POTP settings affect the entire deployment.
Note: RSA RADIUS does not support the Filter-ID attribute when using EAP authentication methods.