More services
512
12.10
Extensions to the RADIUS server
BAT54-Rail/F..
Release
7.54
06/08
D MS-CHAP: The NAS passes the user name, the MS-CHAP challenge and
the MS-CHAP password characteristics. The method continues in the
same way as CHAP, although the responses are computed with the MS-
CHAP algorithm (RFC 2433).
D MS-CHAPv2: The NAS passes the user name, the MS-CHAP challenge
and the MS-CHAPv2 response. The method continues in the same way
as CHAP and MS-CHAP, although the responses are computed with the
MS-CHAPv2 algorithm (RFC 2759). Furthermore the RADIUS server
transmits an MS-CHAPv2 confirmation once the authentication was suc-
cessful. This confirmation contains the server's response to the client's
challenge, so enabling a mutual authentication.
D EAP: The NAS passes the user name and an EAP message. Unlike the
methods outlined above, EAP is not stateless, i.e. in addition to sending
an access accept or access reject, the RADIUS server issues its own
challenge before authentication is completed. EAP itself is a modular au-
thentication protocol that accommodates various methods of authentica-
tion.
12.10.2EAP authentication
EAP is not a specific authentication mechanism, it is more like a framework
for various authentication methods. The LCOS RADIUS server supports a
range of EAP methods:
D EAP/MD5, defined in RFC 2284. EAP/MD5 is a simple challenge/re-
sponse protocol. It does not cater for mutual authentication nor does it of-
fer a dynamic key such as those required for 802.1x authentication in
wireless networks (WLANs). Thus it is only used for the authentication of
non-wireless clients or as a tunneled method as a part of TTLS.
D EAP/MSCHAPv2, defined in draft-kamath-pppext-eap-mschapv2-01.txt.
As opposed to EAD/MD5, EAP/MSCHAPv2 does supports mutual au-
thentication but does not support dynamic keys, making it just as prone to
dictionary attacks as EAP/MD5. This method is usually used within PEAP
tunnels.
D EAP/TLS, defined in RFC2716. The use of EAP/TLS requires the use of
a root certificate, a device certificate and a private key in the device. EAP/
TLS provides outstanding security and the dynamic keys necessary for
wireless connections; its implementation is complex, however, because
each individual client requires a certificate and a private key.
Note: Please note that the TLS implementation in LCOS does not support
certificate chains or certificate revocation lists (CRLs).
To Next Page
Loading...
Need help?
General
