Quick Reference Guide
930 PowerConnect B-Series TI24X Configuration Guide
53-1002269-02
How 802.1X port security works
28
• EAP-TLS (RFC 2716) – EAP Transport Level Security (TLS) provides strong security by requiring
both client and authentication server to be identified and validated through the use of public
key infrastructure (PKI) digital certificates. EAP-TLS establishes a tunnel between the client
and the authentication server to protect messages from unauthorized users’ eavesdropping
activities. Since EAP-TLS requires PKI digital certificates on both the clients and the
authentication servers, the roll out, maintenance, and scalability of this authentication method
is much more complex than other methods. EAP-TLS is best for installations with existing PKI
certificate infrastructures.
• EAP-TTLS (Internet-Draft) – The EAP Tunnelled Transport Level Security (TTLS) is an extension
of EAP-TLS Like TLS, EAP-TTLS provides strong authentication; however it requires only the
authentication server to be validated by the client through a certificate exchange between the
server and the client. Clients are authenticated by the authentication server using user names
and passwords.
A TLS tunnel can be used to protect EAP messages and existing user credential services such
as Active Directory, RADIUS, and LDAP. Backward compatibility for other authentication
protocols such as PAP, CHAP, MS-CHAP, and MS-CHAP-V2 are also provided by EAP-TTLS.
EAP-TTLS is not considered foolproof and can be fooled into sending identity credentials if TLS
tunnels are not used. EAP-TTLS is suited for installations that require strong authentication
without the use of mutual PKI digital certificates.
• PEAP (Internet-Draft) – Protected EAP Protocol (PEAP) is an Internet-Draft that is similar to
EAP-TTLS. PEAP client authenticates directly with the backend authentication server. The
authenticator acts as a pass-through device, which does not need to understand the specific
EAP authentication protocols.
Unlike EAP-TTLS, PEAP does not natively support user name and password to authenticate
clients against an existing user database such as LDAP. PEAP secures the transmission
between the client and authentication server with a TLS encrypted tunnel. PEAP also allows
other EAP authentication protocols to be used. It relies on the mature TLS keying method for its
key creation and exchange. PEAP is best suited for installations that require strong
authentication without the use of mutual certificates.
NOTE
If the 802.1X Client will be sending a packet that is larger than 1500 bytes, you must enable jumbo
at the Global config level of the CLI.
Configuration for these challenge types is the same as for the EAP-MD5 challenge type.
EAP pass-through support
EAP pass-through support is fully compliant with RFC 3748, in which, by default, compliant
pass-through authenticator implementations forward EAP challenge request packets of any type.
Configuration notes
• If the 802.1X supplicant or authentication server will be sending packets that are greater than
1500 MTU, you should configure the device to accommodate a bigger buffer size.
• EAP pass-through is supported on the PowerConnect B-Series TI24X devices.