98 Summit 300-48 Switch Software User Guide
Unified Access Security
Web-based and 802.1x authentication each have advantages and disadvantages, as summarized next.
Advantages of 802.1x Authentication:
• In cases where the 802.1x is natively supported, login and authentication happens transparently.
• Authentication happens at Layer 2. It does not involve getting a temporary IP address and
subsequent release of the address to obtain a more permanent IP address.
• Allows for periodic, transparent, re-authorization of supplicants.
Disadvantages of 802.1x Authentication:
• 802.1x native support is available only on newer operating systems, such as Windows XP.
• 802.1x requires an EAP-capable RADIUS Server. Most current RADIUS servers support EAP, so this
is not a major disadvantage.
• TLS authentication method involves Public Key Infrastructure, which adds to the administrative
requirements.
• TTLS is still a Funk/Certicom IETF draft proposal, not a fully accepted standard. It is easy to deploy
and administer.
Advantages of Web-based Authentication:
• Works with any operating system. There is need for special client side software.; only a web browser
is needed.
Disadvantages of Web-based Authentication:
• The login process involves manipulation of IP addresses and must be done outside the scope of a
normal computer login process. It is not tied to Windows login. The client must bring up a login
page and initiate a login.
• Supplicants cannot be re-authenticated transparently. They cannot be re-authenticated from the
authenticator side.
• Since wireless web-based network login supports only static WEP encryption, it is vulnerable to
attack. Therefore, care should be taken when deploying this authentication mechanism. Using a
secure web server (HTTP with SSL) alleviates some of this problem.
• This method is not as effective in maintaining privacy protection.
802.1x Authentication Methods
802.1x authentication methods govern interactions between the supplicant (client) and the
authentication server. The most commonly used methods are Transport Layer Security (TLS) and
Tunneled TLS (TTLS), which is a Funk/Certicom standards proposal.
TLS is the most secure of the currently available protocols, although TTLS is advertised to be as strong
as TLS. Both TLS and TTLS are certificate-based and require a Public Key Infrastructure (PKI) that can
issue, renew, and revoke certificates. TTLS is easier to deploy, as it requires only server certificates, by
contrast with TLS, which requires client and server certificates. With TTLS, the client can use the MD5
mode of username/password authentication.
If you plan to use 802.1x authentication, refer to the documentation for your particular RADIUS server,
and 802.1x client on how to set up a PKI configuration.
To Next Page
Loading...
