HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

111

112

113

114

115

116

117

118

119

120

1. Dynamic Key Exchange—Distributes a user-specific encryption key to the client and access

device during the authentication process. Without this feature, all clients must share the same

static encryption key.

2. Mutual Authentication—Protects against unauthorized (rogue) access devices by allowing

clients to authenticate the network they are connecting to.

3. Password-based Authentication—Clients provide a password to authenticate to the network.

Typically the password is sent to the server in a hashed (one-way encrypted) form. If you are

integrating with an existing password storage format, be sure the EAP method you chose is

compatible with the password storage format. For the most flexibility, choose an EAP method

that allows the AAA server to access the password in clear text (for example, the PAP password

format). Storing passwords in clear text requires you to use EAP methods that encrypt the

channel between the client and the access point (like TTLS or PEAP).

4. Digital Certificate/Token Card-based Authentication—Uses a token card, smart card, or digital

certificate assigned to each user for authentication. This feature must be deployed in an

environment with supporting infrastructure—for example, an organization with a PKI and

user-specific certificates.

5. Encrypted Tunnel—Establishes an encrypted channel to securely deliver authentication messages

and encryption keys. The encrypted tunnel encapsulates another EAP method that provides

the actual user authentication. Encrypted tunnels are good for securing authentication methods

that are vulnerable when not encapsulated in an encrypted tunnel.

6. OATH standards-based OTP and two-factor authentication — Uses the OATH standards-based

HOTP algorithm to provide OTP authentication. Typically, OTP can be used to provide two-factor

authentication, thus providing a higher level of security than using passwords alone.

NOTE: The HP-UX AAA Server supports only the following EAP authentication methods for

OTP authentication:

• PEAP (EAP-GTC)

• TTLS (PAP and MS-CHAP v2)

The HP-UX AAA Server also supports EAP-SIM and EAP-AKA for mobile communication

networks. For information on EAP-SIM and EAP-AKA, see Chapter 17 (page 160)

The following table lists the EAP methods the HP-UX AAA Server supports and which of the above

features each method offers. Use the table and your inventory information to help decide which

EAP method to use.

Table 33 Supported EAP Methods and Their Features

DescriptionFeatureEAP Method

Tunneled TLS: Can carry additional EAP or legacy authentication methods

like PAP and CHAP. Integrates with the widest variety of password

1, 2, 3, 5, 6TTLS

storage formats and existing password-based authentication systems.

Supplicants available for a large number of clients

Protected EAP: Functionally very similar to TTLS, but does not encapsulate

legacy authentication methods.

1, 2, 5, 6PEAP

Transport Layer Security: Uses TLS (also known as SSL) to authenticate

the client using its digital certificate.

NOTE: Some supplicants require specific extensions to support

certificates for EAP.

1, 2, 4, 5TLS

Message Digest 5: Passwords are hashed using the MD5 algorithm.

Can be deployed for protecting access to LAN switches where the

3MD5

authentication traffic will not be transmitted over airwaves. Can also be

safely deployed for wireless authentication inside EAP tunnel methods

(see feature 5 above).

114 Securing LAN Access With EAP