Register now or log in to join your professional community.
EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication
The support that802.1X provides for Extensible Authentication Protocol (EAP) types allows you to choose from several different authentication methods for wireless clients and servers.
EAP
802.1X uses EAP for message exchange during the authentication process. With EAP, an arbitrary authentication method, such as certificates, smart cards, or credentials, is used. EAP allows for an open-ended conversation between an EAP client (such as a wireless computer) and an EAP server (such as an Internet Authentication Service (IAS) server). The conversation consists of requests for authentication information by the server and responses by the client. In order for authentication to be successful, the client and the server must use the same authentication method.
EAP-TLS
EAP-Transport Layer Security (TLS) is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. If you want to use certificates or smart cards for user and client computer authentication, you must use EAP-TLS or, for enhanced security, Protected EAP (PEAP) with EAP-TLS.
EAP-MS-CHAP v2
EAP-Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2) is a mutual authentication method that supports password-based user or computer authentication. During the EAP-MS-CHAP v2 authentication process, both the server and client must prove that they have knowledge of the user's password in order for authentication to succeed. With EAP-MS-CHAP v2, after successful authentication, users can change their passwords, and they are notified when their passwords expire.
Note:-
EAP-MS-CHAP v2 is available only with PEAP.
PEAP
PEAP is an authentication method that uses TLS to enhance the security of other EAP authentication protocols. PEAP provides the following benefits: an encryption channel to protect EAP methods running within PEAP, dynamic keying material generated from TLS, fast reconnect (the ability to reconnect to a wireless access point by using cached session keys, which allows for quick roaming between wireless access points), and server authentication that can be used to protect against the deployment of unauthorized wireless access points.
PEAP authentication process
The PEAP authentication process consists of two main phases:
1.Server authentication and the creation of a TLS encryption channel. The server identifies itself to a client by providing certificate information to the client. After the client verifies the identity of the server, a master secret is generated. The session keys that are derived from the master secret are then used to create a TLS encryption channel that encrypts all subsequent communication between the server and the wireless client.
2.EAP conversation and user and client computer authentication. A complete EAP conversation between the client and the server is encapsulated within the TLS encryption channel. With PEAP, you can use any one of several EAP authentication methods, such as passwords, smart cards, and certificates, to authenticate the user and client computer.
The session keys that are generated during the PEAP authentication process provide keying material for the Wired Equivalent Privacy (WEP) encryption keys that encrypt the data that is sent between wireless clients and wireless access points.
You can use PEAP with any of the following authentication methods for wireless authentication:
· EAP-TLS, which uses certificates for server authentication and either certificates or smart cards for user and client computer authentication.
· EAP-MS-CHAP v2, which uses certificates for server authentication and credentials for user authentication.
· Non-Microsoft EAP authentication methods.
Notes:-
PEAP is not supported for use with EAP-MD5.
PEAP is available as an authentication method for802.11 wireless clients, but it is not supported for virtual private network (VPN) clients or other remote access clients. Therefore, you can configure PEAP as the authentication method for a remote access policy only when you are using Internet Authentication Service (IAS).