Identity-Based Networking Services (IBNS)
Selecting the correct EAP

The Extensible Authentication Protocol (EAP), based on IETF 802.1x, is an end-to-end framework that allows the creation of authentication types without changing AAA client configurations. The characteristics of EAP are shown in Figure . The varieties of EAP that are supported by the Cisco Secure ACS are shown in Figure . Figure is a table comparing EAP types.

Cisco LEAP
Cisco LEAP is the widely deployed EAP type in use today in WLANs . With LEAP, mutual authentication relies on a shared secret, the logon password of the user, which is known by the client and the network. The RADIUS server sends an authentication challenge to the client. The client uses a one-way hash of the user-supplied password to create a response to the challenge, and then sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the client. When the RADIUS server authenticates the client, the process repeats in reverse, enabling the client to authenticate the RADIUS server. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.

EAP-TLS
EAP-TLS is an IETF standard that is based on the TLS protocol . EAP-TLS uses digital certificates for both user and server authentication. The RADIUS server sends its certificate to the client in phase 1 of the authentication sequence. This is known as server-side TLS. The client validates the RADIUS server certificate by verifying the certificate authority that issued the certificate and the contents of the digital certificate. When this is complete, the client sends its certificate to the RADIUS server in phase 2 of the authentication sequence. This is known as client-side TLS. The RADIUS server validates the client's certificate by verifying the issuer of the certificate and the contents of the digital certificate. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.

PEAP
PEAP is an IETF draft RFC authored by Cisco Systems, Microsoft, and RSA Security . PEAP uses a digital certificate for server authentication. For user authentication, PEAP supports various EAP-encapsulated methods within a protected TLS tunnel. Phase 1 of the authentication sequence is the same as that for EAP-TLS. At the end of phase 1, an encrypted TLS tunnel is created between the user and the RADIUS server for transporting EAP authentication messages. In phase 2, the RADIUS server authenticates the client through the encrypted TLS tunnel via another EAP type. When this is complete, an EAP-Success message is sent to the client and both the client and the RADIUS server derive the dynamic WEP key.

EAP Type Configuration
The important policy decision regarding authentication in a Cisco Catalyst Switch environment is which EAP authentication type to deploy. The two choices are EAP-MD5 and EAP-TLS. This choice is likely to be influenced by which database is in use as well as by security implications. For a description of how to configure which EAP type to be enforced by the Cisco Secure ACS, follow the web link User Guide for Cisco Secure ACS Solution Engine Version 3.3 – System Configuration: Authentication and Certificates that is provided below.


Web Links