Chapter 65 Port Authentication
GS1920v2 Series User’s Guide
420
However, MD5 authentication has some weaknesses. Since the authentication server needs to get the
plain text passwords, the passwords must be stored. Thus someone other than the authentication server
may access the password file. In addition, it is possible to impersonate an authentication server as MD5
authentication method does not perform mutual authentication. Finally, MD5 authentication method
does not support data encryption with dynamic session key. You must configure WEP encryption keys for
data encryption.
• EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wired clients for mutual
authentication. The server presents a certificate to the client. After validating the identity of the server,
the client sends a different certificate to the server. The exchange of certificates is done in the open
before a secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital
certificate is an electronic ID card that authenticates the sender’s identity. However, to implement
EAPTLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management
overhead.
• EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server-side
authentications to establish a secure connection. Client authentication is then done by sending user
name and password through the secure connection, thus client identity is protected. For client
authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP,
MS-CHAP and MS-CHAP v2.
•PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use
simple user name and password methods through the secured connection to authenticate the clients,
thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by
Cisco.
•LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
To Next Page
Loading...
