Post on 16-Apr-2017
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-1
WLAN Security
Describing EAP Authentications
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-2
Symmetric Keys
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-3
Asymmetric Keys
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-4
Digital Signature
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-5
Trusted Third Party
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-6
Certificates
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-7
PKI
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-8
EAP-TLS
Client support Windows 2000, XP, Vista and Windows CE (natively supported) Linux, Mac AirPort Extreme Each client requires a user certificate
Infrastructure requirements EAP-TLS-supported RADIUS server RADIUS server requires a server certificate Certificate Authority server (PKI Infrastructure)
Certificate management Both client and RADIUS server certificates to be managed
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-9
EAP-TLS (Cont.)
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-10
EAP-FAST
Considered in three phases: Protected Access Credentials (PAC) is generated in phase zero
(Dynamic PAC provisioning)− Unique shared credential used to mutually authenticate client
and server− Associated with a specific user-ID and an Authority ID− Removes the need for PKI
A secure tunnel is established in phase one Client is authenticated via the secure tunnel in phase two
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-11
PAC Creation
PAC consists of PAC-Key PAC-Opaque PAC-Info
Server Generates a PAC-KeyPAC-Opaque and PAC-Info
The PAC-Opaque contains PAC-Key Client user identity (I-ID) Key lifetime
PAC-Opaque is encryptedwith Master-Key
PAC-Info containsthe Authority Identity (A-ID)
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-12
PAC Exchange
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-13
EAP-FAST Authentication
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-14
PEAP
Hybrid authentication method− Server side authentication with TLS− Client side authentication with EAP authentication types
EAP-GTC EAP-MSCHAPv2
Clients do not require certificates RADIUS server requires a server certificate
− RADIUS server self-issuing certificate capability− Purchase a server certificate per-server from public PKI entity− Setup a simple PKI server to issue server certificates
Allows for one-way authentication types to be used− One-time passwords− Proxy to LDAP, Unix, Microsoft NT and Active Directory, Kerberos
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-15
PEAP Authentication
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-16
LEAP
Cisco WLAN security solution User authentication via user ID and password Single login using Windows NT/2000 Active Directory Dynamic WEP keys and mutual authentication
− Key integrity protocol/message integrity recommended Simplified deployment and administration Supports multiple operating systems
− Windows, Mac OS, Windows CE, DOS, and Linux Strong password policy recommended
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-17
LEAP Authentication
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-18
Summary
Certificates are public keys; they allow both authentication and encryption.
EAP-TLS is an authentication mechanism built upon certificate exchange.
EAP-FAST aims at providing the same level of security without certificates.
PEAP requires a certificate on the server but not on the client. There are many other EAP types, such as Cisco LEAP.
© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—4-19