Different authentication types are supported when using 802.1x on a WLAN
.
LEAP – Lightweight EAP (LEAP) is also called EAP-Cisco. LEAP is the
Cisco version of EAP. It is used on networks that currently do not support EAP.
The current versions of EAP may not provide the functionality that is needed or
may be too demanding. This could compromise the performance of the WLAN
equipment. LEAP is a good choice when using Cisco equipment in conjunction with
operating systems like Windows 95, Windows 98, Windows Me, Windows CE, Windows
NT/2000/XP, and Linux.
EAP-TLS – EAP-Transport Layer Security (EAP-TLS) is a
labor-intensive security option. EAP-TLS requires a digital certificate
configured on all WLAN Clients and on the Server. EAP-TLS is based on X.509
certificates. It is usually easier to use than PEAP, which is based on EAP-TLS.
PEAP – Protected EAP (PEAP) is a draft EAP authentication type that
is designed to allow hybrid authentication. PEAP employs server-side PKI
authentication. For client-side authentication, PEAP can use any other EAP
authentication type. Because PEAP establishes a secure tunnel via server-side
authentication, non-mutually authenticating EAP types can be used for
client-side authentication. Client-side authentication options include EAP-GTC
for one-time passwords and EAP-MD5 for password-based authentication. PEAP is
based on server-side EAP-TLS and it addresses the manageability and scalability
shortcomings of EAP-TLS. Organizations can avoid the issues associated with
installing digital certificates on every client machine as required by EAP-TLS.
They can then select the method of client authentication that best suits them.
EAP-MD5 – Extensible Authentication Protocol MD5 (EAP-MD5) should
not be used, because it does not provide mutual authentication. EAP-MD5 is a
one-way authentication that essentially duplicates CHAP password protection on
a WLAN. EAP-MD5 is used as a building block in EAP-TTLS.
EAP-OTP – EAP-One Time Passwords (EAP-OTP) is also called EAP-
Generic Token Card (EAP-GTC). It is not recommended, since OTPs are not a form
of mutual authentication.
EAP-SIM – EAP-SIM uses the same smart card or SIM that is used in
GSM mobile phones to provide authentication. EAP-SIM can easily ride on
EAP-TLS.
EAP-TTLS – EAP-Tunneled Transport Layer Security (EAP-TTLS) is an
IETF draft authored by Funk software and Certicom. EAP-TTLS provides similar
functionality to PEAP. EAP-TTLS protects passwords by using TLS, which is an
advanced form of Secure Socket Layer (SSL). EAP-TTLS currently requires a Funk
software RADIUS server.
Kerberos – Kerberos is not part of the 802.1x standard, but it is
being recommended by some vendors. Kerberos is an authentication system
enabling protected communication over an open network, which uses a unique key
called a ticket. It requires service configuration. PEAP can support Kerberos
through EAP-Generic Security Service (EAP-GSS).
Lab
Exercise: Configuring LEAP/EAP Using Local RADIUS Authentication
In this
lab, the student will learn about the second generation of Wireless LAN
security and how to implement LEAP on a Wireless LAN for secure client
authentication.
Lab
Exercise: Configuring LEAP/EAP Using Cisco Secure ACS (OPTIONAL)
In this
lab, the student will learn about the second generation of Wireless LAN
security and how to implement LEAP on a Wireless LAN for secure client
authentication.