Appendix D Wireless LANs
VMG1312-B Series User’s Guide
343
• Account ing- Request
Sent by the access point requesting accounting.
• Account ing- Response
Sent by the RADI US server to indicat e t hat it has st art ed or stopped accounting.
I n order t o ensure network security, the access point and the RADI US server use a shared secret
key, which is a password, they both know. The key is not sent over the network. I n addition to the
shared key, password inform ation exchanged is also encrypt ed to prot ect the network from
unauthorized access.
Types of EAP Authentication
This sect ion discusses som e popular authent icat ion t ypes: EAP- MD5, EAP-TLS, EAP-TTLS, PEAP and
LEAP. Your wireless LAN device m ay not support all authent ication types.
EAP ( Extensible Aut hentication Prot ocol) is an aut hent icat ion protocol t hat runs on t op of t he I EEE
802.1x transport m echanism in order to support m ultiple types of user aut hentication. By using EAP
to interact with an EAP- com pat ible RADI US server, an access point helps a wireless stat ion and a
RADI US server perform aut hent icat ion.
The type of authent icat ion you use depends on t he RADI US server and an int erm ediary AP( s) that
supports I EEE 802.1x.
For EAP-TLS authent icat ion t ype, you must first have a wir ed connect ion t o t he network and obt ain
the certificat e(s) from a cert ificat e aut horit y ( CA) . A cert ificat e (also called digit al I Ds) can be used
to authent icat e users and a CA issues certificat es and guarant ees t he identit y of each cert ificat e
owner.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authent ication is t he sim plest one-way authent ication m et hod. The aut hent ication server
sends a challenge to the wireless client. The w ireless client ‘proves’ t hat it know s the passwor d by
encrypt ing the password wit h t he challenge and sends back the inform ation. Password is not sent in
plain t ext .
However, MD5 authent icat ion has som e weaknesses. Since t he authent icat ion server needs t o get
the plaint ext passwords, t he passwor ds m ust be stored. Thus som eone other t han the
aut hent icat ion server m ay access t he password file. I n addit ion, it is possible to im personat e an
aut hent icat ion server as MD5 aut hent icat ion m et hod does not perfor m m utual authent icat ion.
Finally, MD5 aut hent icat ion m ethod does not support data encrypt ion wit h dynam ic session key. You
m ust configure WEP encryption keys for data encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certificat ions are needed by both t he server and the wir eless clients for
m utual authent ication. The server present s a certificat e t o the client . Aft er validat ing the identit y of
the server, t he client sends a different certificate to t he server. The exchange of cert ificat es is done
in t he open before a secured t unnel is created. This m akes user ident it y vulnerable to passive
att acks. A digital cert ificat e is an elect ronic I D card t hat aut hent icat es t he sender ’s ident it y.
However, to im plem ent EAP-TLS, you need a Certificat e Authority (CA) t o handle cert ificates, w hich
im poses a m anagem ent overhead.
To Next Page
Loading...
