Manualshelf

User's Manual

ManualsBrandsStrix Systems ManualsElectronicsAccess/One Network Transmitter
61626364656667686970
Table Of Contents
USER GUIDE
Variations on the EAP theme
MD5: The MD5 protocol is essentially CHAP (RFC 1994) over EAP. When the identification
request is made to the user device (supplicant), the user name is sent to the RADIUS server.
The RADIUS server sends a challenge to the supplicant, which the supplicant responds to with
a one-way hash based on its known password. The server compares the challenge response with
its version of a one-way hash based on what it knows as the password. If they are identical, the
supplicant has “proved” its identity and is authenticated. The challenge is never the same twice
and can occur at any time. Advantages: easy to manage (no certificates), all 802.1x clients
support this EAP type, IETF standard. Disadvantages: authentication is only one way (no server
authentication - rogue Access Point risk), no dynamic key support, passwords need to be stored
reversibly encrypted on the server (hacker could get all of the passwords off the server),
vulnerable to dictionary attacks, man-in-middle attacks and session hijacking. Deployment
recommendation: use static key encryption to maintain some data security.
LEAP: Lightweight EAP is a Cisco proprietary security method using EAP with a vendor
specific tag to authenticate a supplicant as well as an Access Point. The initial authentication
process is similar to MD5. Once the supplicant is authenticated, the AP is also authenticated
using a similar process, thereby preventing rogue Access Points on the network. Advantages:
easy to manage (no certificates), supports dynamic key exchange with session expiration, mutual
authentication. Disadvantages: not universally supported by all clients (e.g. Microsoft), reversibly
encrypted passwords, vulnerable to dictionary attacks.
TLS: Transport Layer Security (TLS) is based on the same SSL mechanism used to secure web
pages and is requires digital client and server certificates. A certificate is issued by a Certificate
Authority and typically contains the certificate version, serial number, issuer, public key for the
user, expiration date and digital signature. The digital signature is a hash of the above items with
the private key known only to the certificate authority. The digital signature is used to
authenticate the information in a certificate. The TLS exchange starts with the AP requesting an
identity from the device. The device replies with its Network Access Identifier (NAI). The
server then sends its certificate to the device for authentication and the device replies with its
certificate for authentication. Both server and device derive encryption keys and the server sends
a RADIUS ACCEPT to the Access Point, which includes the key necessary to talk to the device
(the AP never derives keys). When the AP receives this message, it sends an EAP SUCCESS
and opens the port for communication. After the connection is secure, the AP forwards the
multicast key to the station. Advantages: supports dynamic key exchange with session
expiration, all 802.1x clients support this EAP type, very strong security because of mutual
authentication via certificates, IETF standard. Disadvantages: difficult to manage (each device
must have a certificate), authenticates a device not a user.
60