Wireless clients first associate to an access point. Then wireless clients need to authenticate with an authentication server before the access point allows access to services. As shown in Figure 4-4, the authentication server resides in the wired infrastructure. An EAP/RADIUS tunnel occurs between the WLC and the authentication server. Cisco's Secure Access Control Server (ACS) using EAP is an example of an authentication server.
Figure 4-4 WLAN Authentication
Wireless clients communicate with the authentication server using EAP. Each EAP type has advantages and disadvantages. Trade-offs exist between the security provided, EAP type manageability, the operating systems supported, the client devices supported, the client software and authentication messaging overhead, certificate requirements, user ease of use, and WLAN infrastructure device support. The following summarizes the authentication options:
■ EAP-Transport Layer Security (EAP-TLS) is an IETF open standard that is well-supported among wireless vendors but rarely deployed. It uses PKI to secure communications to the RADIUS authentication server using TLS and digital certificates.
■ Protected Extensible Authentication Protocol (PEAP) is a joint proposal by Cisco Systems, Microsoft, and RSA Security as an open standard. PEAP/MSCHAPv2 is the most common version, and it is widely available in products and widely deployed. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic authentication to a number of databases such as Novell Directory Services (NDS).
■ EAP-Tunneled TLS (EAP-TTLS) was codeveloped by Funk Software and Certicom. It is widely supported across platforms and offers very good security, using PKI certificates only on the authentication server.
■ Cisco Lightweight Extensible Authentication Protocol (LEAP) is an early proprietary EAP method supported in the Cisco Certified Extensions (CCX) program. It is vulnerable to dictionary attacks.
■ EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) is a proposal by Cisco Systems to fix the weaknesses of LEAP. EAP-FAST uses a Protected Access Credential (PAC), and use of server certificates is optional. EAP-FAST has three phases. Phase 0 is an optional phase in which the PAC can be provisioned manually or dynamically. In Phase 1, the client and the AAA server use the PAC to establish the TLS tunnel. In Phase 2, the client sends user information across the tunnel.
Was this article helpful?