ZyXEL Communications ZYWALL USG 20 Manual page 810

Appendix C Wireless LANs
The following types of RADIUS messages are exchanged between the access point
and the RADIUS server for user accounting:
• Accounting-Request
Sent by the access point requesting accounting.
• Accounting-Response
Sent by the RADIUS server to indicate that it has started or stopped accounting.
In order to ensure network security, the access point and the RADIUS server use a
shared secret key, which is a password, they both know. The key is not sent over
the network. In addition to the shared key, password information exchanged is
also encrypted to protect the network from unauthorized access.
Types of EAP Authentication
This section discusses some popular authentication types: EAP-MD5, EAP-TLS,
EAP-TTLS, PEAP and LEAP. Your wireless LAN device may not support all
authentication types.
EAP (Extensible Authentication Protocol) is an authentication protocol that runs on
top of the IEEE 802.1x transport mechanism in order to support multiple types of
user authentication. By using EAP to interact with an EAP-compatible RADIUS
server, an access point helps a wireless station and a RADIUS server perform
authentication.
The type of authentication you use depends on the RADIUS server and an
intermediary AP(s) that supports IEEE 802.1x. .
For EAP-TLS authentication type, you must first have a wired connection to the
network and obtain the certificate(s) from a certificate authority (CA). A certificate
(also called digital IDs) can be used to authenticate users and a CA issues
certificates and guarantees the identity of each certificate owner.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The
authentication server sends a challenge to the wireless client. The wireless client
'proves' that it knows the password by encrypting the password with the challenge
and sends back the information. Password is not sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication
server needs to get the plaintext passwords, the passwords must be stored. Thus
someone other than the authentication server may access the password file. In
addition, it is possible to impersonate an authentication server as MD5
authentication method does not perform mutual authentication. Finally, MD5
810
ZyWALL USG 20/20W User's Guide