Eap Characteristics; Eap Communication Overview - AMX MVP-5200i-GB Instruction Manual

EAP Characteristics

The following table outlines the differences among the various EAP Methods from most secure (at the top of the list) to the least
secure (at the bottom of the list):
EAP Method Characteristics
Method:
EAP-TLS
EAP-TTLS • Certificates
EAP-PEAP • Certificates
EAP-LEAP • Certificates
EAP-FAST • Certificates

EAP Communication Overview

EAP Authentication goes a step beyond just encrypting data transfers, but also requires that a set of credentials be validated before
the client (panel) is allowed to connect to the rest of the network (FIG. 89). Below is a description of this process. It is important to
note that no user intervention is necessary during this process. It proceeds automatically based on the configuration parameters
entered into the panel.
Client - Panel
(Supplicant)
EAP security method in process
FIG. 89
1. The client (panel) establishes a wireless connection with the AP specified by the SSID.
2. The AP opens up a tunnel between itself and the RADIUS server configured via the access point. This tunnel means that
packets can flow between the panel and the RADIUS server but nowhere else. The network is protected until authentication of
the client (panel) is complete and the ID of the client is verif ied.
3. The AP (Authenticator) sends an "EAP-Request/Identity" message to the panel as soon as the wireless connection becomes
active.
4. The panel then sends a "EAP-Response/Identity" message through the AP to the RADIUS server providing its identity and
specifying which EAP type it wants to use. If the server does not support the EAP type, then it sends a failure message back to
the AP which will then disconnect the panel. As an example, EAP-FAST is only supported by the Cisco server.
5. If the EAP type is supported, the server then sends a message back to the client (panel) indicating what information it needs.
This can be as simple as a username (Identity) and password or as complex as multiple CA certificates.
6. The panel then responds with the requested information. If everything matches, and the panel provides the proper credentials,
the RADIUS server then sends a success message to the access point instructing it to allow the panel to communicate with
other devices on the network. At this point, the AP completes the process for allowing LAN Access to the panel (possibly a
restricted access based on attributes that came back from the RADIUS server).
As an example, the AP might switch the panel to a particular VLAN or install a set of farewell rules.
MVP-5200i Modero® ViewPoint® Touch Panel with Intercom - Instruction Manual
Credential Type:
• Certificates
• Fixed Passwords
• One-time passwords (tokens)
• Fixed Passwords
• One-time passwords (tokens)
• Fixed Passwords
• One-time passwords (tokens)
• Fixed Passwords
• One-time passwords (tokens)
802.1x
(EAP Over Wireless)
Authentication:
Certificate is based on a two-way
authentication
Client authentication is done via password
and certificates
Server authentication is done via certificates
Client authentication is done via password
and certificates
Server authentication is done via certificates
Authentication is based on MS-CHAP and
MS-CHAPv2 authentication protocols
N/A
LAN
Authentication Server
Authenticator
(Access Point)
Appendix B: Wireless Technology
Pros:
Highest Security Difficult to deploy
High Security
High Security
Easy deployment Susceptible to dictionary
N/A
(RADIUS Server)
Cons:
Moderately difficult to
deploy
Moderately difficult to
deploy
attacks
N/A
137