Table of Contents
Advertisement
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use
simple username and password methods through the secured connection to authenticate the clients,
thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2
and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by
Cisco.
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x.
Dynamic WEP Key Exchange
The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless
connection times out, disconnects or reauthentication times out. A new WEP key is generated each
time reauthentication is performed.
If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security
configuration screen. You may still configure and store keys, but they will not be used while dynamic
WEP is enabled.
Note: EAP-MD5 cannot be used with Dynamic WEP Key Exchange
For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for
data encryption. They are often deployed in corporate environments, but for public deployment, a
simple user name and password pair is more practical. The following table is a comparison of the
features of authentication types.
Table 129 Comparison of EAP Authentication Types
Mutual Authentication
Certificate – Client
Certificate – Server
Dynamic Key Exchange
Credential Integrity
Deployment Difficulty
Client Identity Protection
WPA and WPA2
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless
security standard that defines stronger encryption, authentication and key management than WPA.
Key differences between WPA or WPA2 and WEP are improved data encryption and user
authentication.
If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2
for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK
(WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point,
Appendix B Wireless LANs
EAP-MD5
EAP-TLS
No
Yes
No
Yes
No
Yes
No
Yes
None
Strong
Easy
Hard
No
No
VMG3925-B10C/B30C User's Guide
301
EAP-TTLS
PEAP
Yes
Yes
Optional
Optional
Yes
Yes
Yes
Yes
Strong
Strong
Moderate
Moderate
Yes
Yes
LEAP
Yes
No
No
Yes
Moderate
Moderate
No
Advertisement
Table of Contents
