User's Manual

ManualsBrandsMitraStar Technology ManualsElectronicsTD-LTE OUTDOOR CPE

231

232

233

234

235

236

237

238

239

240

Appendix D Wireless LANs

B222s User’s Guide

236

EAP-MD5 (Message-Digest Algorithm 5)

MD5 aut hent icat ion is t he sim plest one- way aut hent icat ion m ethod. The aut hent icat ion server

sends a challenge t o t he wireless client. The wireless client ‘proves’ t hat it know s t he password by

encrypt ing t he password wit h t he challenge and sends back the inform at ion. Password is not sent in

plain t ext .

However, MD5 authentication has som e w eaknesses. Since t he aut hent icat ion server needs t o get

the plaint ext passwords, t he passwords m ust be stored. Thus som eone other t han t he

authent icat ion server m ay access the password file. I n addit ion, it is possible t o im personat e an

authent icat ion server as MD5 aut hent icat ion m et hod does not perform m ut ual aut hent icat ion.

Finally, MD5 aut hent icat ion m et hod does not support dat a encrypt ion with dynam ic session key. You

m ust configure WEP encrypt ion keys for data encr ypt ion.

EAP-TLS (Transport Layer Security)

Wit h EAP-TLS, digit al cert ificat ions are needed by both the server and t he wireless clients for

m ut ual authentication. The server present s a cert ificat e t o t he client. Aft er validat ing t he ident ity of

the ser ver, t he client sends a different cert ificate t o the server. The exchange of cert ificat es is done

in t he open before a secured t unnel is creat ed. This m akes user ident ity vulnerable t o passive

att acks. A digit al cert ificat e is an electronic I D card that aut hent icat es the sender’s ident ity.

However, t o im plem ent EAP-TLS, you need a Cert ificat e Authority ( CA) t o handle cert ificat es, which

im poses a m anagem ent overhead.

EAP-TTLS (Tunneled Transport Layer Service)

EAP-TTLS is an ext ension of t he EAP-TLS aut hent icat ion t hat uses cert ificat es for only t he server-

side aut hent icat ions t o establish a secure connect ion. Client authentication is t hen done by sending

usernam e and password t hrough the secure connection, t hus client ident ity is protected. For client

authent icat ion, EAP-TTLS support s EAP m et hods and legacy aut hent icat ion m et hods such as PAP,

CHAP, MS-CHAP and MS- CHAP v2.

PEAP (Protected EAP)

Like EAP-TTLS, server- side cer t ificat e aut hent icat ion is used t o establish a secure connect ion, then

use sim ple usernam e and password m ethods t hrough t he secured connect ion to aut hent icat e t he

clients, t hus hiding client ident ity. However, PEAP only supports EAP m ethods, such as EAP- MD5,

EAP- MSCHAPv2 and EAP- GTC ( EAP- Generic Token Card), for client aut hent icat ion. EAP- GTC is

im plem ented only by Cisco.

LEAP

LEAP ( Light weight Ext ensible Authent icat ion Protocol) is a Cisco im plem ent ation of I EEE 802.1x.

Dynamic WEP Key Exchange

The AP m aps a unique key t hat is generat ed with t he RADI US server. This key expires when the

wir eless connect ion t im es out , disconnect s or reauthent icat ion t im es out. A new WEP key is

generat ed each t im e reauthent icat ion is perform ed.