Appendix c types of eap authentication – Equinox Systems ZyAIR G-200 User Manual

ZyAIR G-200 User’s Guide

Types of EAP Authentication

E

Appendix C

Types of EAP Authentication

This appendix discusses the five popular EAP authentication types: EAP-MD5, EAP-TLS, EAP-
TTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server.
Consult your network administrator for more information.

EAP-MD5 (Message-Digest Algorithm 5)

MD5 authentication is the simplest one-way authentication method. The authentication server
sends a challenge to the wireless station. The wireless station ‘proves’ that it knows the password
by encrypting the password with the challenge and sends back the information. Password is not
sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to get
the plaintext passwords, the passwords must be stored. Thus someone other than the
authentication server may access the password file. In addition, it is possible to impersonate an
authentication server as MD5 authentication method does not perform mutual authentication.
Finally, MD5 authentication method does not support data encryption with dynamic session key.
You must configure WEP encryption keys for data encryption.

EAP-TLS (Transport Layer Security)

With EAP-TLS, digital certifications are needed by both the server and the wireless stations for
mutual authentication. The server presents a certificate to the client. After validating the identity
of the server, the client sends a different certificate to the server. The exchange of certificates is
done in the open before a secured tunnel is created. This makes user identity vulnerable to passive
attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity.
However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates,
which imposes a management overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the
server-side authentications to establish a secure connection. Client authentication is then done by
sending username and password through the secure connection, thus client identity is protected.
For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods
such as PAP, CHAP, MS-CHAP and MS-CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,
then use simple username and password methods through the secured connection to authenticate
the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as
EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client
authentication. EAP-GTC is implemented only by Cisco.

LEAP

LEAP (Light Extensible Authentication Protocol) is a Cisco implementation of IEEE802.1x.
For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use
dynamic keys for data encryption. They are often deployed in corporate environments, but for
public deployment, a simple user name and password pair is more practical. The following table
is a comparison of the features of five authentication types.