EAP is a component of an 802.1x network. EAP is designed to create a mechanism to provide authentication types that leverage existing authentication, authorization, and accounting (AAA) solutions. EAP messages can be transferred from the 802.1x supplicant to the authenticator or authentication server. The communication between the authenticator to the authentication server, such as Cisco ACS, is performed with RADIUS messages. These RADIUS messages are often transported over User Datagram Protocol (UDP). EAP is defined in RFC 2284, "PPP Extensible Authentication Protocol (EAP)." Examples of EAP types include the following:
The following sections describe each type of EAP in more detail. EAP MD5EAP MD5 is one of the simplest authentication mechanisms. EAP MD5 uses one-way authentication, which means that only the supplicant has to provide authentication to the authenticator. In other words, the supplicant is not protected from a rogue authenticator. EAP MD5 is not the best choice for wireless LANs because it is a one-way authentication protocol. EAP MD5 uses the MD5 hash that was originally defined in 1992. Microsoft Windows XP contains a native EAP MD5 802.1x supplicant and uses a password on the end-user workstation. EAP TLSEAP Transport Layer Security (TLS) uses digital certificates for user authentication and key generation. TLS uses both the certificate of the client and authentication server to implement mutual authentication. EAP TLS verifies that the user possesses an RSA key pair that is signed in the certificate. EAP TLS generates a unique key per session for each user. EAP TLS is defined in RFC 2716, "PPP EAP TLS Authentication Protocol." LEAPLEAP is an EAP type designed to authenticate users attempting gain access to a wireless network. LEAP can use Cisco ACS as the authentication server. LEAP provides a secure wireless connection and promotes a unique session key for encryption for each user. The Cisco Aironet Client contains a LEAP supplicant for 802.1x wireless networks. PEAPPEAP was designed to provide a more secure or protected form of EAP as an alternative to EAP MD5. PEAP is supported by Microsoft and provides a protected EAP for authentication on both wireless networks and LANs. PEAP uses digital certificates on the server-side to provide secure and encrypted authentication. PEAP can use EAP GTC to provide two-factor user authentication with one-time passwords. PEAP can also use MSCHAPv2 to provide a unique session key without the overhead of a client-side digital certificate solution. PEAP is a popular EAP type on 802.1x networks today because it enables a Microsoft machine with an 802.1x supplicant to authenticate on both wireless and wired (Ethernet LAN) networks. The popularity of PEAP can also be attributed to the fact that Microsoft XP contains a native PEAP 802.1x supplicant. PEAP MSCHAPv2 in addition to EAP TLS described earlier are two EAP types that support Windows machine authentication. EAP FASTEAP FAST is a technology that can use Cisco ACS as the authentication server. EAP FAST allows the EAP protocol to be transmitted over a secure, encrypted TLS tunnel. EAP FAST is also highly secure through the use of strong secrets, or Protected Access Credentials (PAC). Cisco ACS uses a master key to generate these credentials. PACs can be provisioned both in-band and out-of-band for the authentication process. In addition to being a strong security solution, EAP FAST can be a higher-performing solution than some of the other EAP protocols because EAP FAST can use shared secrets rather than more resource-intensive mechanisms, like digital certificates or public key infrastructure (PKI). EAP FAST can be an attractive candidate for embedded devices with low processor power since it does not have to process digital certificates. EAP FAST can be used in Layer 2 or LAN switch NAC deployment. EAP FAST can also be used for 802.1x authentication to both wired and wireless networks. |