User guide

ManualsBrandsAtrust ManualsComputer equipmentM320

111

112

113

114

115

116

117

118

119

120

Odyssey Access Client User Guide

104  802.1X Authentication

EAP-LEAP

EAP-LEAP (Lightweight EAP, also known as EAP-Cisco Wireless) is a protocol that

enables users to be authenticated using their Windows password credentials

without the use of certificates. The data exchange in EAP-LEAP is fundamentally

similar to the exchange that occurs when a user logs in to a Windows Domain

Controller.

EAP-LEAP is very convenient because it is Windows-compatible. However, because

EAP-LEAP does not use server certificates, it relies on the randomness of the user

password for its cryptographic strength. As a result, when user passwords are

relatively short or insufficiently random, a wireless eavesdropper observing an

EAP-LEAP exchange can easily mount a dictionary attack to discover these weak

passwords.

Reauthentication

When you reauthenticate to your network, encryption keys are refreshed and any

new or updated security policies that are implemented on the network are applied

to your network connection.

You can configure automatic periodic reauthentication to the network using

Odyssey Access Client.

Periodic reauthentication serves two purposes:

 As a general security measure, it verifies that you are still on a trusted network.

 It results in distribution of fresh shared keys to your PC and access point. The

access point might use these shared keys to refresh the keys used to encrypt

data. By frequently refreshing keys, you can thwart cryptographic attacks.

See “Enabling Automatic Reauthentication” on page 19 for information about

configuring this feature.

Session Resumption

When you first authenticate using EAP-TTLS, EAP-PEAP, EAP-POTP, or EAP-TLS, a

fair amount of intensive computation occurs, both on your client PC and on the

network authentication server. Private keys must be used to encrypt or sign data,

signatures on certificates must be validated, and password credentials must be

selected.

Once you have authenticated a connection to the network, your network session

begins. During a session, any subsequent authentications to the same network

server can be accelerated by reusing the secret information that is derived during

the first authentication. This is called session resumption. You can configure

client-side session resumption features that apply to the certificate-based protocols

using Odyssey Access Client. This feature is particularly useful when you have a

wireless connection and are moving (“roaming”) from one access point location in

a building to another. With this feature enabled, along with automatic

reauthentication, your network connection is not interrupted and there is no need

to reconnect or reauthenticate.