ZyXEL Communications NWA3560-N User Manual page 294

Appendix C Wireless LANs
EAP-MD5 (Message-Digest Algorithm 5)
MD5 aut hent icat ion is t he sim plest one- way aut hent icat ion m et hod. The aut hent icat ion server
sends a challenge t o t he wireless client . The wireless client 'proves' t hat it knows t he password by
encrypt ing t he password wit h t he challenge and sends back t he inform at ion. Password is not sent in
plain t ext .
However, MD5 aut hent icat ion has som e weaknesses. Since t he aut hent icat ion server needs t o get
t he plaint ext passwords, t he passwords m ust be st ored. Thus som eone ot her t han t he
aut hent icat ion server m ay access t he password file. I n addit ion, it is possible t o im personat e an
aut hent icat ion server as MD5 aut hent icat ion m et hod does not perform m ut ual aut hent icat ion.
Finally, MD5 aut hent icat ion m et hod does not support dat a encrypt ion wit h dynam ic session key. You
m ust configure WEP encrypt ion keys for dat a encrypt ion.
EAP-TLS (Transport Layer Security)
Wit h EAP-TLS, digit al cert ificat ions are needed by bot h t he server and t he wireless client s for
m ut ual aut hent icat ion. The server present s a cert ificat e t o t he client . Aft er validat ing t he ident it y of
t he server, t he client sends a different cert ificat e t o t he server. The exchange of cert ificat es is done
in t he open before a secured t unnel is creat ed. This m akes user ident it y vulnerable t o passive
at t acks. A digit al cert ificat e is an elect ronic I D card t hat aut hent icat es t he sender 's ident it y.
However, t o im plem ent EAP-TLS, you need a Cert ificat e Aut horit y ( CA) t o handle cert ificat es, which
im poses a m anagem ent overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an ext ension of t he EAP-TLS aut hent icat ion t hat uses cert ificat es for only t he server-
side aut hent icat ions t o est ablish a secure connect ion. Client aut hent icat ion is t hen done by sending
usernam e and password t hrough t he secure connect ion, t hus client ident it y is prot ect ed. For client
aut hent icat ion, EAP-TTLS support s EAP m et hods and legacy aut hent icat ion m et hods such as PAP ,
CHAP , MS- CHAP and MS- CHAP v2.
PEAP (Protected EAP)
Like EAP-TTLS, server- side cert ificat e aut hent icat ion is used t o est ablish a secure connect ion, t hen
use sim ple usernam e and password m et hods t hrough t he secured connect ion t o aut hent icat e t he
client s, t hus hiding client ident it y. However, PEAP only support s EAP m et hods, such as EAP- MD5,
EAP- MSCHAPv2 and EAP- GTC ( EAP- Generic Token Card) , for client aut hent icat ion. EAP- GTC is
im plem ent ed only by Cisco.
LEAP
LEAP ( Light weight Ext ensible Aut hent icat ion Prot ocol) is a Cisco im plem ent at ion of I EEE 802.1x.
Dynamic WEP Key Exchange
The AP m aps a unique key t hat is generat ed wit h t he RADI US server. This key expires when t he
wireless connect ion t im es out , disconnect s or reaut hent icat ion t im es out . A new WEP key is
generat ed each t im e reaut hent icat ion is perform ed.
294
NWA3000-N Series User's Guide