Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
31323334353637383940
1-26
Access Control Concepts
Network Access Control Technologies
EAP-Message Digest 5 (MD5). EAP-MD5 is a base-level authentication
protocol similar to CHAP; for credentials, an endpoint submits a one-way hash
of a random challenges and its password.
This method has the advantage of simplicity, which makes implementation
and configuration straightforward. But, like CHAP, it is vulnerable to:
Automated cracking tools and dictionary attacks
Attackers that pose as the authentication server and steal credentials
Thus, EAP-MD5 affords only a low level of protection and is not regarded as
suitable for wireless networks. Another reason this method is unsuitable for
wireless networks is that it does not provide material necessary for generating
encryption keys and securing the connection.
Lightweight EAP (LEAP). A Cisco proprietary EAP method, LEAP authen-
ticates users by means of passwords; it also provides keying material, which
is important for wireless networks. However, although LEAP provides mutual
authentication, it is vulnerable to man-in-the-middle attacks and is not recom-
mended.
EAP-TLS (Transport Level Security). EAP-TLS is highly secure because
it uses public key infrastructure (PKI) digital certificates for authentication
credentials. It also provides mutual authentication: both the supplicant and
the server must possess valid certificates.
EAP-TLS is impervious to the attacks that affect EAP-MD5 but can be difficult
to implement. Managing significant numbers of certificates requires special-
ized software and human expertise, which makes EAP-TLS substantially more
expensive than password-based methods.
EAP-Tunneled TLS (TTLS). Created by Funk Software as an extension to
EAP-TLS, EAP-TTLS removes the obstacle of certificate management.
Like EAP-TLS, EAP-TTLS enforces mutual authentication. But with EAP-
TTLS, only authentication servers, not supplicants, authenticate with digital
certificates, reducing the number of necessary certificates perhaps a
thousandfold. For this reason, EAP-TTLS is significantly easier to deploy
than EAP-TLS.
Although supplicants authenticate with usernames and passwords, EAP-TTLS
preserves much of the security of EAP-TLS by establishing a two-step proce-
dure for tunneling those credentials.