User manual

ManualsBrandsZYXEL ManualsNetwork Routers & SwitchesGS2210-48HP Network RJ45/SFP switch 48 + 2 ports PoE

161

162

163

164

165

166

167

168

169

170

GS2210 Series User’s Guide

165

For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the

certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to

authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.

• EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server sends a

challenge to the wired client. The wired client ‘proves’ that it knows the password by encrypting the

password with the challenge and sends back the information. Password is not sent in plain text.

However, MD5 authentication has some weaknesses. Since the authentication server needs to get the

plaintext passwords, the passwords must be stored. Thus someone other than the authentication server

may access the password file. In addition, it is possible to impersonate an authentication server as MD5

authentication method does not perform mutual authentication. Finally, MD5 authentication method

does not support data encryption with dynamic session key. You must configure WEP encryption keys for

data encryption.

• EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wired clients for mutual

authentication. The server presents a certificate to the client. After validating the identity of the server,

the client sends a different certificate to the server. The exchange of certificates is done in the open

before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital

certificate is an electronic ID card that authenticates the sender’s identity. However, to implement

EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management

overhead.

• EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side

authentications to establish a secure connection. Client authentication is then done by sending

username and password through the secure connection, thus client identity is protected. For client

authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,

MS-CHAP and MS-CHAP v2.

•PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use

simple username and password methods through the secured connection to authenticate the clients,

thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2

and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by

Cisco.

•LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.

18.5.4 EAPOL (EAP over LAN)

EAPOL is a port authentication protocol used in IEEE802.1x. It encapsulates and sends EAP packets from

the LAN. EAPOL exchanges the following messages between a wired client and switch.

•EAPOL-Start

A wired client will send this message to a switch to let it know the wired client is ready.

•EAPOL-Key