AES WPA TKIP WEP
WEP keys are dynamic instead of static and do not
require user intervention-based management. This
standard is compatible with existing roaming technologies,
enabling use in hotels and public places. 802.1x
Authentication Key Benefits
A major advantage of EAP
and the 802.1x standard is that their design leverages existing
standards. With support for EAP, WLANs can now offer these
features, listed in Figure : - Support for RFC 2284,
with password authentication: Users are authenticated based
on a username and password that are typically already stored in
an active directory on the network. This directory is in turn
connected to a certificate server, such as a RADIUS server or
the Cisco Secure Access Control Server (ACS). RFC 2284 allows
for various token card implementations that require user input
by using a Generic Token Card (GTC) type. The request contains
an ASCII text message and the reply contains the token card
information necessary for authentication. Typically, this would
be information read by a user from the token card device and
entered as ASCII text.
- One-time password
(OTP): OTP encrypts a plaintext password. Thus, plaintext
passwords never have to be typed on an insecure connection
(Telnet and FTP use no encryption and therefore are not
considered secure protocols).
EAP support allows
additional authentication methods to be deployed with no
changes to the access point or client network interface card
(NIC). Nothing beyond the latest versions of firmware and
drivers are required for Cisco Aironet equipment to take
advantage of the benefits that EAP offers. The wireless
authentication protocols do require client software to
participate in the authentication process. This software, as
well as the device running the software, is commonly referred
to as a “supplicant.” With all 802.1x authentication types,
dynamic encryption key distribution can be supported. Dynamic
keying, and the ability to manage the user database centrally,
is a major advantage of 802.1x and EAP. 802.1x and EAP
Authentication Protocols
The 802.1x specification
requires mutual authentication of the client and server device.
This process can be accomplished through various mechanisms
listed in Figure : - LEAP is an 802.1x-compliant
authentication mechanism that Cisco Systems developed and that
is available on both Cisco NICs and NICs from other
vendors.
- EAP FAST is a client-server security
architecture that encrypts EAP transactions with a Transport
Layer Security (TLS) tunnel. Although similar to PEAP in this
respect, this protocol differs significantly in that, EAP-FAST
tunnel establishment is based on a strong secret called the
“protected access credential” (PAC), which is unique to
users.
- EAP-TLS uses certificates to authenticate both
the server (network) and client.
- EAP-GTC (Generic
Token Card) was created by Cisco as an alternative to
PEAPv0/EAP-MSCHAPv2. It allows the use of an inner
authentication protocol other than Microsoft Challenge
Handshake Authentication Protocol version 2 (MSCHAPv2). EAP-GTC
carries a text challenge from the authentication server, and a
reply that is assumed to be generated by a security token.
EAP-GTC does not protect the authentication data in any
way.
- PEAP is a “protected” authentication mechanism
that uses a certificate to encrypt the authentication exchange
between the client and the EAP server. The authentication
exchange can be either GTC or MSCHAPv2.
Components Required for 802.1x Authentication
Figure
shows the components that a system needs for 802.1x
authentication. An authentication server is required for
802.1x. 802.1x uses a RADIUS server to authenticate clients to
the network. An authenticator can be a device such as a switch
or an access point. This device operates on the enterprise
edge, meaning that the device is the interface between the
enterprise network and the public or semipublic network, where
security is most needed. The client device contains a
supplicant. The supplicant sends authentication credentials to
the authenticator, and the authenticator then sends the
information to the authentication server. At the authentication
server, the login request is compared to a user database to
determine whether and at what level the user is granted access
to network resources.
Content 6.2
Introducing Wireless Security 6.2.6 LEAP
LEAP provides some unique capabilities that may be difficult to
duplicate with other authentication schemes, as summarized in
Figure : - Fast, secure roaming with Cisco clients or
compatible clients
- A broad range of operating systems
and devices, including Macintosh, Linux, and DOS
-
Single login to a Microsoft Active Directory or Windows NT
domain using Microsoft credentials
If a Microsoft
database is used, and if it is desirable to use native
operating system authentication support, it may be possible to
use Microsoft PEAP (PEAP [EAP-MSCHAPv2]) or EAP-TLS. Single
login is supported with these solutions. Several RADIUS servers
support Cisco LEAP, including Cisco Secure Access Control
Server (ACS) and Cisco Access Registrar, Meetinghouse Aegis,
and Interlink Merit. Cisco LEAP Authentication
As
you can see from Figure , the authentication process requires
three components, shown at the top of the figure: the client,
or supplicant; the access point, or authenticator; and the
RADIUS server (in 802.1x terminology, the authentication
server). The authentication can start in one of two ways: by
client initiation with the Start message or by access point
initiation with the Request/Identity message. In either case,
the client responds to the access point with a user name. The
access point encapsulates that response in a RADIUS
Access-Request message and forwards the response to the RADIUS
server. The RADIUS server then begins the challenge response
process with the client. After the challenges are met with
correct authentication, a Success message is sent to the access
point, indicating that the client has been authenticated. The
client needs to validate that the access point and RADIUS
server are truly what they say they are. This process is the
LEAP mutual authentication function. The client sends a
challenge message to the access point to forward to the RADIUS
server. The RADIUS server must then correctly respond to the
challenge for the client to validate the network and then
associate. Upon successful authentication, a pairwise master
key (PMK) is generated on both the client and the RADIUS
server. The RADIUS server forwards the PMK for installation in
the access point for that specific client. The access point and
the client perform the four-way handshake.
Content
6.2 Introducing Wireless Security
6.2.7 EAP-FAST EAP-FAST consists of an optional
Phase 0, followed by Phases 1 and 2: - Phase 0:
Unique to EAP-FAST, Phase 0 is a tunnel-secured means of
providing an EAP-FAST end-user client with a protected access
credential (PAC) for the user requesting network access. Phase
0 is optional, and PACs can be manually provided to end-user
clients.
A PAC is a digital credential that is
distributed to users for network authentication. A PAC always
consists of a secret part and an opaque part. The secret part
is secret key material that can be used in future transactions.
The opaque part is presented when the client wants to obtain
access to network resources. The opaque part aids the server in
determining whether the client possesses the secret part. Each
PAC has a specific user ID and an authority ID associated with
the PAC. - Phase 1: In Phase 1, the RADIUS
server and the end user-client use the PAC to authenticate each
other and establish a secure tunnel.
Like PEAP,
EAP-FAST uses TLS to verify the identity of the AAA server and
establish a secure tunnel between the client and the AAA
server. The PAC replaces the digital certificate that PEAP uses