EAP PWD provides strong encryption and mutual authentication between supplicant and server based on a shared password. It is described in RFC 5931. Based on the per-user password, the server and supplicant derive strong cryptographic keys and authenticate each others knowledge of the password. The derived keys can be used for dynamic WEP and WPA keys.

EAP PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication roundtrips. Further, it is not encumbered by intellectual property issues. So it is considered efficient to roll out in eduroam and other environments.

Authentication of EAP PWD by Radiator depends in having access to the user's plain text password. EAP PWD can be used with any Radiator user database that supports a User-Password in format like below. Some EAP PWD clients may also support additional password formats. For more information, see Section 3.10.58. EAP_PWD_PrepMethod. :

username    User-Passsword=fred

EAP PWD requires OpenSSL 0.9.8i libraries or later, Crypt::OpenSSL::EC and Crypt::OpenSSL::Bignum 0.06 or later.