Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-25
Access Control Concepts
Network Access Control Technologies
MS-CHAPv2
The most common version of CHAP used in contemporary networks is MS-
CHAPv2. MS-CHAPv2 builds on the basic CHAP process, but adds several
capabilities. First, MS-CHAPv2 provides mutual authentication, which pro-
tects users and their credentials from hackers that pose as legitimate servers.
MS-CHAPv2 also enables more sophisticated controls over the authentication
process. For example, the authentication server can limit the number of times
an endpoint can attempt to authenticate. It can also force users to periodically
change their passwords and explain to users why their authentication failed.
EAP
EAP establishes a standardized framework for authentication protocols. The
first EAP request and response packets initiate the authentication process.
Subsequent packets are EAP method packets, which essentially encapsulate
other authentication protocols. (When selecting an EAP type, you must ensure
that both the RADIUS server and the 802.1X supplicant that runs on the
endpoint support that EAP type. For more information about supplicants, see
“Authentication Requirements” on page 1-23.
Note You will probably use EAP in an Ethernet network; this particular brand of
EAP is more precisely called EAP over LAN (EAPOL). However, this design
guide follows common usage and refers simply to EAP.
Because EAP can encapsulate any authentication protocol as an EAP method,
it provides flexibility. New methods can be developed to meet new needs; all
methods fit within the standard framework, so you can choose the ones that
meet your security requirements.
EAP methods range from relatively insecure to very secure and from simple
to complex to deploy. You should familiarize yourself with the most common
EAP methods, all of which are non-proprietary, so that you can make informed
choices for your network.
Note Although EAP can encapsulate any authentication protocol, only the proto-
cols that pass Internet Assigned Numbers Authority (IANA) screening are
designated as registered EAP methods and assigned a standard EAP number.
As of early 2007, IANA recognized more than 40 EAP registered authentication
protocols. Many of these are vendor-specific protocols that implement propri-
etary authentication schemes.