Information Technology Reference
In-Depth Information
authentication server resides in the wired infrastructure. An EAP/RADIUS tunnel occurs
between the WLC and the authentication server. Cisco's Secure Access Control Server
(ACS) using EAP is an example of an authentication server.
Wired
Infrastructure
Secure ACS
Authentication
Server
LWAP
CAPWAP
Tunnel
WLC
(Authenticator)
EAP/RADIUS
Tunnel
Wireless Clients
(Supplicant)
802.1x Authentication
Key Management
Key Distribution
Secure Data Flow
Figure 5-6
WLAN Authentication
Authentication Options
Wireless clients communicate with the authentication server using EAP. Each EAP type
has advantages and disadvantages. Trade-offs exist between the security provided, EAP
type manageability, the operating systems supported, the client devices supported, the
client software and authentication messaging overhead, certificate requirements, user ease
of use, and WLAN infrastructure device support. The following summarizes the authenti-
cation options:
EAP-Transport Layer Security (EAP-TLS)
is an IETF open standard that is well-
supported among wireless vendors but rarely deployed. It uses Public Key Infrastructure
(PKI) to secure communications to the RADIUS authentication server using TLS and
digital certificates.
■
Protected Extensible Authentication Protocol (PEAP)
is a joint proposal by Cisco
Systems, Microsoft, and RSA Security as an open standard. PEAP/MSCHAPv2 is the
most common version, and it is widely available in products and widely deployed. It is
similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a
secure TLS tunnel to protect user authentication. PEAP-GTC allows more generic au-
thentication to a number of databases such as Novell Directory Services (NDS).
■
EAP-Tunneled TLS (EAP-TTLS)
was co-developed by Funk Software and Certicom.
■
cates only on the authentication server.
