From:IEEE 802.1x Port-Based Network Access Control in the DOD environment
EAP Options
One of the factors in using 802.1x for port authentication is the incorporation of EAP as the authentication protocol. EAP is flexible and supports several authentication options. The authentication options in EAP include Transport Layer Security (TLS), Tunneled TLS (TTLS), Protected (EAP), Lightweight EAP (LEAP), and Message Digest 5 (MD5). The primary considerations when deciding on the EAP authentication option are:
- Ensure the RADIUS server and the client support and use the same authentication option.
- Decide whether the client and the server will mutually authenticate. This means that not only does the client authenticate to the server, but the server authenticates to the client as well.
- Decide whether the client will authenticate using certificates, passwords, or tokens.
EAP-TLS
EAP-TLS utilizes the TLS handshake as the basis for authentication. EAP-TLS requires the use of public key infrastructure (PKI); the client and the RADIUS Server must both have x.509 certificates.
PEAP
PEAP is a two-stage authentication method. First a TLS tunnel is created between the client and the RADIUS server. The TLS tunnel is created by the use of a certificate on the RADIUS server only. Second, the client authenticates using the MS-CHAPv2 protocol or Generic Token. The use of MS-CHAPv2 or Generic Token Cards (GTC) allows the client to authenticate using credentials from existing databases, directories, or one-time password systems.
EAP-TTLS
EAP-TTLS is similar to PEAP, in that a TLS tunnel is created first. Second the client and the RADIUS server exchange “attribute-value pairs” to validate user credentials. EAP-TTLS supports the use of CHAP, PAP, MS-CHAP, and MS-CHAPv2.
EAP-MD5
EAP-MD5 is considered the weakest form of EAP. EAP-MD5 utilizes clear text identities and a MD5 hashed password to authenticated. EAP-MD5 is more susceptible to dictionary attacks.
LEAP
LEAP is a Cisco proprietary version of EAP. Cisco first introduced LEAP in December 2000. Cisco began working with some additional vendors to support LEAP. LEAP is now supported by a limited number of vendors. EAP: Extensible Authentication Protocol is an authentication framework that supports multiple authentication methods. EAPOL: EAP over LANs. EAPOL is the standard for encapsulating EAP frames on an IEEE 802.3 (Ethernet) network or a token ring network. Client: The device requesting a connection to the LAN infrastructure. The 802.1x standard defines a supplicant and a system. The standard defines a supplicant as the port of the service requesting device, and the system as a device that is trying to connect to the network. For the purpose of this document, the two entities will be combined and referred to as a client. Port: The point where a switch communicates to a client or RADIUS server. RADIUS Server: The device that determines if a client is authorized to use the services provided by the authenticator. In a common environment, the authentication server is a RADIUS server. Switch: The device that initiates and then facilitates the 802.1x authentication between a client and the RADIUS Server. In a common environment, the authenticator can be a LAN switch or Wireless Access Point. TLS: Transport Layer Security is a protocol designed to ensure data privacy between client and server. TLS is defined in detail in the IETF RFCs 2246 and 3546. Note: The following list is not a comprehensive list of all software that supports 802.1x. EAP-TLS EAP-TTLS PEAP-EAP-GTC PEAP-EAP-MSCHAPv2 EAP-MD5 LEAP Microsoft X X X Funk Odyssey Client X X X X X X Meetinghouse Aegis Client X X X X X X Microsoft IAS (2000) X X X Cisco ACS (2000, NT, Unix) X X X X X Funk Steel Belted Radius (2000, NT, Solaris) X X X X X X Meetinghouse Aegis Server (2000, XP, Unix, Linux) X X X X
802.1x Software Support (MS 2000 / NT Workstations)
Client Software
RADIUS Servers
-----
留言列表
舊家的東東 (16)