THOMSON Gateway Configuration Manual page 38

RADIUS authentication
RADIUS stands for Remote Authentication Dial-In User Service. This is a client-server authentication,
authorization and accounting protocol (AAA) used for remote network access. In order to do this, the RADIUS
protocol prompts end users for their credentials through a Network Access Server, or NAS. The NAS is
actually a client of a RADIUS server, which centrally controls user access to its client's (the NAS) services. A
RADIUS server is responsible for receiving end user requests, authenticating the user, and then providing the
NAS with all of the information necessary for it to deliver services. RADIUS can use several Database
Management Systems and directory protocols to manage the list of network users and their privileges. This
method of authentication provides a secure and centralized way to control access to network resources.
Extensible Authentication Protocol (EAP)
One of the RADIUS protocol limitations is that it can only implement password-based authentication: the
password is transmitted either in the hash form (using MD5 hashing algorithm) or in the form of the response
to a challenge (CHAP-password). The Extensible Authentication Protocol (EAP) gives RADIUS the ability to
work with a variety of authentication schemes including Public Key Infrastructure, Kerberos and smart cards.
The access point acts as the EAP-RADIUS translator between the wireless station and the RADIUS server. It
uses the EAP protocol to communicate with the wireless station and the RADIUS protocol to communicate
with the RADIUS server. The access point encapsulates the information (such as a username or a public key)
into the RADIUS packet and forwards it to the RADIUS server. When the server replies with Access-Accept/
Reject/Challenge reply, the AP unpacks the RADIUS packet and forwards the reply back to the wireless station
in the EAP packet.
There are several different types of EAP, which employ different methods of passing authentication
information. These methods support authentication based on the two common ways to authenticate a
wireless station: digital certificates and shared secrets (username/password). Examples of EAP are LEAP,
EAP-MD5, EAP-TLS, EAP-TTLS, PEAP,... The two most widely used EAP authentication mechanisms are EAP-
MD5 and EAP-TLS.
EAP-Message Digest 5 (EAP-MD5)
EAP-MD5 is an EAP security algorithm that provides base-level EAP support. EAP-MD5 uses a 128-bit
message (the hashed value of a server challenge and the user's password) to verify the authenticity of the
supplicant. EAP-MD5 is very similar to the Challenge Handshake Authentication Protocol (CHAP).
EAP-MD5 is not recommended for wireless LANs because it provides only one-way authentication. Without
mutual authentication, outsiders can easily sniff wireless station identities and password hashes, or
masquerade as access points to trick stations into authenticating them.
EAP-Transport Layer Security (EAP-TLS)
EAP-TLS accomplishes mutual authentication. It requires certificates on both the RADIUS server and the
wireless station. Both the wireless station and the RADIUS server have to prove their identities via public key
cryptography in the form of digital certificates or smart cards. The certificate message contains a public key
certificate chain for either a key exchange public key (such as an RSA or Diffie-Hellman key exchange public
key) or a signature public key (such as an RSA or DSS signature public key).
If applied to wireless solutions, user-based and session-based WEP keys can also be dynamically generated
to secure future communication between the wireless station and the access point. An encrypted TLS tunnel
secures this exchange. EAP-TLS does have its drawbacks. Outsiders can still sniff the station's identity (the
name assigned to the certificate). Also, certificates must be managed on both the client and server side. EAP-
TLS is most attractive to large enterprises that use only Windows XP/2000/2003 with deployed certificates.
32
Chapter 3
Security
E-DOC-CTC-20060609-0001 v2.0