The Extensible Authentication Protocol (EAP), based on IETF 802.1x,
is an end-to-end framework that allows the creation of authentication types
without changing AAA client configurations. The characteristics of EAP are
shown in Figure
. The varieties
of EAP that are supported by the Cisco Secure ACS are shown in Figure
. Figure
is a table
comparing EAP types.
Cisco LEAP
Cisco LEAP is the widely
deployed EAP type in use today in WLANs
. With LEAP,
mutual authentication relies on a shared secret, the logon password of the
user, which is known by the client and the network. The RADIUS server sends an
authentication challenge to the client. The client uses a one-way hash of the
user-supplied password to create a response to the challenge, and then sends
that response to the RADIUS server. Using information from its user database,
the RADIUS server creates its own response and compares that to the response
from the client. When the RADIUS server authenticates the client, the process
repeats in reverse, enabling the client to authenticate the RADIUS server. When
this is complete, an EAP-Success message is sent to the client and both the
client and the RADIUS server derive the dynamic WEP key.
EAP-TLS
EAP-TLS is an IETF standard that is based on the TLS
protocol
. EAP-TLS uses
digital certificates for both user and server authentication. The RADIUS server
sends its certificate to the client in phase 1 of the authentication sequence.
This is known as server-side TLS. The client validates the RADIUS server
certificate by verifying the certificate authority that issued the certificate
and the contents of the digital certificate. When this is complete, the client
sends its certificate to the RADIUS server in phase 2 of the authentication
sequence. This is known as client-side TLS. The RADIUS server validates the
client's certificate by verifying the issuer of the certificate and the
contents of the digital certificate. When this is complete, an EAP-Success
message is sent to the client and both the client and the RADIUS server derive
the dynamic WEP key.
PEAP
PEAP is an IETF draft RFC authored
by Cisco Systems, Microsoft, and RSA Security
. PEAP uses a
digital certificate for server authentication. For user authentication, PEAP
supports various EAP-encapsulated methods within a protected TLS tunnel. Phase
1 of the authentication sequence is the same as that for EAP-TLS. At the end of
phase 1, an encrypted TLS tunnel is created between the user and the RADIUS
server for transporting EAP authentication messages. In phase 2, the RADIUS
server authenticates the client through the encrypted TLS tunnel via another
EAP type. When this is complete, an EAP-Success message is sent to the client
and both the client and the RADIUS server derive the dynamic WEP key.
EAP Type Configuration
The important policy decision regarding
authentication in a Cisco Catalyst Switch environment is which EAP
authentication type to deploy. The two choices are EAP-MD5 and EAP-TLS. This
choice is likely to be influenced by which database is in use as well as by
security implications. For a description of how to configure which EAP type to
be enforced by the Cisco Secure ACS, follow the web link User Guide for Cisco
Secure ACS Solution Engine Version 3.3 – System Configuration: Authentication
and Certificates that is provided below.