HP-UX AAA Server A.07.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

141

142

143

144

145

146

147

148

149

150

software for each EAP method (LAN access devices must only support EAP). For

wireless clients, you must use supplicants that support the hardware platforms,

operating systems, and WLAN cards in your environment. Ideally, you should try to

use client hardware and software that allows you to use one EAP method for all your

clients. This may mean avoiding solutions that are proprietary or support only a small

variety of clients.

Next, determine which of the following features are important to you:

1. Dynamic Key Exchange—Distributes a user-specific encryption key to the client

and access device during the authentication process. Without this feature, all clients

must share the same static encryption key.

2. Mutual Authentication—Protects against unauthorized (rogue) access devices by

allowing clients to authenticate the network they are connecting to.

3. Password-based Authentication—Clients provide a password to authenticate to

the network. Typically the password is sent to the server in a hashed (one-way

encrypted) form. If you are integrating with an existing password storage format,

be sure the EAP method you chose is compatible with the password storage format.

For the most flexibility, choose an EAP method that allows the AAA server to

access the password in clear text (for example, the PAP password format). Storing

passwords in clear text requires you to use EAP methods that encrypt the channel

between the client and the access point (like TTLS or PEAP).

4. Digital Certificate/Token Card-based Authentication—Uses a token card, smart

card, or digital certificate assigned to each user for authentication. This feature

must be deployed in an environment with supporting infrastructure—for example,

an organization with a PKI and user-specific certificates.

5. Encrypted Tunnel—Establishes an encrypted channel to securely deliver

authentication messages and encryption keys. The encrypted tunnel encapsulates

another EAP method that provides the actual user authentication. Encrypted

tunnels are good for securing authentication methods that are vulnerable when

not encapsulated in an encrypted tunnel.

6. OATH standards-based OTP and two-factor authentication — Uses the OATH

standards-based HOTP algorithm to provide OTP authentication. Typically, OTP

can be used to provide two-factor authentication, thus providing a higher level of

security than using passwords alone.

NOTE: The HP-UX AAA Server supports only the following EAP authentication

methods for OTP authentication:

• PEAP (EAP-GTC)

• TTLS (PAP)

The following table lists the EAP methods the HP-UX AAA Server supports and which

of the above features each method offers. Use the table and your inventory information

to help decide which EAP method to use.

Determining the EAP Authentication Method to Use 145