Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentCisco Access Registrar 4.2
12345678910
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 3 of 42
Thisdocumentfocuses on EAP-TLSauthenticationprotocolrollout in WLANnetworks.Section3 further introduces
the reader to the EAP/802.1x architecture. Section 4 discusses Public Key Infrastructure (PKI) and EAP-TLS
authentication protocol. In Section 5, EAP-TLS deployment criteria are examined in detail. Section 6 provides details
about the Validation Lab that was built to illustrate an example EAP-TLS rollout in a WLAN network. Section 7
provides EAP-TLS troubleshooting tips. Appendix A details the setup for Windows 2000 Server Certificate Services.
Appendix B provides instructions for configuring EAP-TLS using demo certificates (for proof of concept testing).
3 EAP Architecture
EAP provides a standard mechanism for supporting various authentication methods over wired and wireless
networks. An authentication, authorization, and accounting (AAA) client (also known as a network access server)
such as an access point that supports EAP need not have any understanding of the specific EAP type used in the EAP
authentication process. The network access server tunnels the authentication messages between the peer (user
machine trying to authenticate) and the AAA server (such as the Cisco Secure ACS). The network access server is
aware only of when the EAP authentication process starts and when it ends.
There are EAP types, such as LEAP and EAP-TLS, in which the authentication is mutual: server authenticates user,
and user authenticates server. Mutual authentication is usually required in a WLAN environment. For a detailed
discussion about designing and implementing WLAN security (including 802.1x/EAP architecture), refer to
www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm.
3.1 Relevant RFCs and Drafts
Table 3.1 lists other helpful reference documents.
EAP-TLS uses concepts of PKI:
A WLAN client (that is, a user’s machine) requires a valid certificate to authenticate to the WLAN network
The AAA server requires a “server” certificate to validate its identity to the clients
The certificate-authority-server infrastructure issues certificates to the AAA server(s) and the clients
Sections 4 and 5 of this document discuss PKI and EAP-TLS authentication protocol in detail.
Table 3.1 Relevant RFCs and Drafts
Document Title
RFC 2865 Remote Authentication Dial-In User Service (RADIUS)
RFC 2869 Radius Extensions
RFC 2284 Point-to-Point Protocol (PPP) EAP
RFC 2716 PPP EAP-TLS Authentication Protocol
RFC 2246 TLS Protocol