Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-27
Access Control Concepts
Network Access Control Technologies
In the first step—the initial TLS handshake—the server authenticates to the
supplicant. The two devices use the public key in the server certificate to
exchange cipher keys and create a symmetric encryption tunnel. In the second
step—the secondary handshake—the supplicant submits credentials over the
secure tunnel using a secondary authentication protocol.
The secondary protocol can be another EAP method, but is typically a form
of the RADIUS CHAP/PAP protocols (see “RADIUS” on page 1-28). You can
use a relatively insecure—but easy to implement—secondary protocol
because the tunnel secures the messages.
The encryption tunnel is maintained only for the duration of the secondary
handshake; once the handshake is complete, the tunnel is destroyed.
Protected EAP (PEAP). PEAP is Microsoft’s extension of EAP-TLS and is
very similar to EAP-TTLS. Like EAP-TTLS, PEAP uses a two-step authentica-
tion architecture, in which the supplicant and server create a symmetric tunnel
over which the supplicant then sends its credentials.
Unlike EAP-TTLS, EAP-PEAP does not support the RADIUS CHAP/PAP pro-
tocols; it generally supports MS-CHAPv2 instead. The level of security, how-
ever, is approximately the same.
EAP-Subscriber Identity Module (SIM). A SIM is a smart card installed
on a mobile device, which stores the device’s unique International Mobile
Subscriber Identity (IMSI) and authentication key (Ki). The SIM uses the IMSI
and Ki to authenticate, in a secure manner, to an authentication server,
authentication server, which has access to a database of legitimate IMSIs and
the corresponding Kis. The SIM might also negotiate encryption keys with the
authentication server to secure future transmissions.
EAP-SIM is primarily used as a secure authentication method for headless
devices such as wireless phones.
EAP-Generic Token Card (GTC). While EAP-GTC is similar in design to
EAP-MD5, this method was originally designed to work with token cards,
devices that store one-time passwords (OTPs), which are less susceptible to
cracking than traditional, static passwords. However, EAP-GTC can be used
with a traditional password, in which case it is vulnerable to many of the
attacks to which EAP-MD5 is also prey. In contemporary networks, EAP-GTC
is most often used as the inner protocol for EAP-TTLS or PEAP.