Extensible Authentication Protocol (EAP) Authentication Types
The EAP protocol is centred around the use of an access controller called an authenticator, which either grants or denies a user access to the network. EAP sits inside of PPP's authentication protocol and provides a generalized framework for several different authentication methods. It is supposed to head off proprietary authentication systems and let everything from passwords to challenge-response tokens and public-key infrastructure certificates all work smoothly.
The authentication server is most commonly a RADIUS server (Remote Authentication Dial-In User Service), a standard authentication server defined by RFC 2865 and 2866, but any other authentication service may be used instead.
Because Wi-Fi Local Area Network (LAN) security is essential and EAP authentication types provide a potentially better means of securing the WLAN connection, vendors are rapidly developing and adding EAP authentication types to their WLAN access points. Some of the most commonly deployed EAP authentication types include EAP-MD-5, EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-Fast, and Cisco LEAP.
EAP-MD-5 (Message Digest) Challenge is an EAP authentication type that provides base-level EAP support. It uses standard user name and password. The supplicant’s password is hashed with MD5 and the hash value is being used to authenticate the supplicant. EAP-MD-5 is typically not recommended for Wi-Fi LAN implementations because it may allow the user's password to be derived. It provides for only one way authentication - there is no mutual authentication of Wi-Fi client and the network. And very importantly it does not provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys.
EAP-TLS (Transport Layer Security) is widely supported. It uses PKI (e.g., a digital certificate) to authenticate the supplicant and authentication server. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point. One drawback of EAP-TLS is that certificates must be managed on both the client and server side. For a large WLAN installation, this could be a very cumbersome task.
EAP-TTLS (Tunneled Transport Layer Security) was developed by Funk Software* and Certicom*, as an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or "tunnel"), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.
EAP-FAST (Flexible Authentication via Secure Tunneling) was developed by Cisco*. Instead of using a certificate, mutual authentication is achieved by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically. Manual provisioning is delivery to the client via disk or a secured network distribution method. Automatic provisioning is an in-band, over the air, distribution.
LEAP (Lightweight Extensible Authentication Protocol), is an EAP authentication type used primarily in Cisco Aironet* WLANs. It encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication. Heretofore proprietary, Cisco has licensed LEAP to a variety of other manufacturers through their Cisco Compatible Extensions program.
PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunneling between PEAP clients and an authentication server. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Microsoft, Cisco and RSA Security developed PEAP.
Which EAP type to implement, or whether to implement 802.1x at all, depends upon the level of security that the organization needs and the administrative overhead/features desired.
The authentication server is most commonly a RADIUS server (Remote Authentication Dial-In User Service), a standard authentication server defined by RFC 2865 and 2866, but any other authentication service may be used instead.
Because Wi-Fi Local Area Network (LAN) security is essential and EAP authentication types provide a potentially better means of securing the WLAN connection, vendors are rapidly developing and adding EAP authentication types to their WLAN access points. Some of the most commonly deployed EAP authentication types include EAP-MD-5, EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-Fast, and Cisco LEAP.
EAP-MD-5 (Message Digest) Challenge is an EAP authentication type that provides base-level EAP support. It uses standard user name and password. The supplicant’s password is hashed with MD5 and the hash value is being used to authenticate the supplicant. EAP-MD-5 is typically not recommended for Wi-Fi LAN implementations because it may allow the user's password to be derived. It provides for only one way authentication - there is no mutual authentication of Wi-Fi client and the network. And very importantly it does not provide a means to derive dynamic, per session wired equivalent privacy (WEP) keys.
EAP-TLS (Transport Layer Security) is widely supported. It uses PKI (e.g., a digital certificate) to authenticate the supplicant and authentication server. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point. One drawback of EAP-TLS is that certificates must be managed on both the client and server side. For a large WLAN installation, this could be a very cumbersome task.
EAP-TTLS (Tunneled Transport Layer Security) was developed by Funk Software* and Certicom*, as an extension of EAP-TLS. This security method provides for certificate-based, mutual authentication of the client and network through an encrypted channel (or "tunnel"), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates.
EAP-FAST (Flexible Authentication via Secure Tunneling) was developed by Cisco*. Instead of using a certificate, mutual authentication is achieved by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server. The PAC can be provisioned (distributed one time) to the client either manually or automatically. Manual provisioning is delivery to the client via disk or a secured network distribution method. Automatic provisioning is an in-band, over the air, distribution.
LEAP (Lightweight Extensible Authentication Protocol), is an EAP authentication type used primarily in Cisco Aironet* WLANs. It encrypts data transmissions using dynamically generated WEP keys, and supports mutual authentication. Heretofore proprietary, Cisco has licensed LEAP to a variety of other manufacturers through their Cisco Compatible Extensions program.
PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunneling between PEAP clients and an authentication server. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Microsoft, Cisco and RSA Security developed PEAP.
Which EAP type to implement, or whether to implement 802.1x at all, depends upon the level of security that the organization needs and the administrative overhead/features desired.
Comments
Post a Comment