Table of Contents
Advertisement
Authentication Types
EAP-TLS
EAP-Transport Layer Security (TLS) uses public key infrastructure (PKI) to acquire and validate digital
certificates. A digital certificate is a cryptographically signed structure that guarantees the association
between at least one identifier and a public key. It is valid for a limited time period and use, subject to
certificate policy conditions. The Certificate Authority (CA) issues certificates to client and server.
The supplicant and the back-end RADIUS server must both support EAP-TLS authentication. The root
device acts as an AAA client and is also known as the network access server (NAS). The root devices
must support 802.1x/EAP authentication process although they are not aware of the EAP authentication
protocol type. The NAS tunnels the authentication messages between the peer (user machine trying to
authenticate) and the AAA server (such as the Cisco ACS). The NAS is aware of the EAP authentication
process only when it starts and ends.
The following notes apply to EAP-TLS authentication:
•
•
•
•
EAP-FAST
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) encrypts
EAP transactions within a TLS tunnel. The TLS tunnel encryption helps prevent dictionary attacks that
are possible using Light Extensible Authentication Protocol (LEAP). The EAP-FAST tunnel is
established using shared secret keys that are unique to users. Because handshakes based upon shared
secrets are intrinsically faster than handshakes based upon a PKI infrastructure, EAP-FAST is
significantly faster than Protected Extensible Authentication Protocol (PEAP) and EAP-TLS.
EAP-FAST operates in three phases:
•
•
•
After successful client authentication to the EAP-FAST server, a RADIUS Access-accept message is
passed to the root device (along with the master session key) and an EAP success message is generated
at the root device (as with other EAP authentication protocols). Upon receipt of the EAP-success packet,
the client derives a session key using an algorithm that is complementary to that used at the server to
generate the session key passed to the root device.
EAP-TTLS
EAP-Tunneled TLS (TTLS) is an 802.1X authentication type supported by Funk Software. It uses TLS
(server certificates) and supports a variety of client authentication mechanisms, including legacy
mechanisms. EAP-TTLS supports both username/password and mutual authentication.
The 2.4 GHz WMIC (C3201-WMIC) supports storage of one digital certificate in VRAM memory.
The EAP-TLS authentication mechanism requires that PKI infrastructure be in place with a
Certificate Authority (CA) server. You can use both Microsoft and OpenSSL CA servers to provide
the trustpoint.
EAP-TLS authentication takes place between the client device (workgroup bridge or non-root
bridge) and the AAA server. Only the root device must support EAP-based authentication.
The Cisco C3201 WMIC and the AAA server each obtains the CA certificate for its own key pairs.
See the
"Configuring Certificates Using the crypto pki CLI" section on page 7
configuring CA certificates.
Delivery of key to client
Establishment of a secure tunnel using the key
Authentication of the client over the secure tunnel
Cisco 3200 Series Wireless MIC Software Configuration Guide
Understanding Authentication Types
for instructions on
5
Hide quick links:
Advertisement
Table of Contents
