Manualshelf

User`s guide

ManualsBrandsZyXEL Communications ManualsComputer equipmentB-5000 -
261262263264265266267268269270
ZyAIR B-5000 User’s Guide
Types of EAP Authentication E-1
Appendix E
Types of EAP Authentication
This appendix discusses two popular EAP authentication types: EAP-MD5 and EAP-TLS. The type of
authentication you use depends on the RADIUS server. Consult your network administrator for more
information.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server sends a
challenge to the wireless station. The wireless station ‘proves’ that it knows the password by encrypting the
password with the challenge and sends back the information. Password is not sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to get the
plaintext passwords, the passwords must be stored. Thus someone other than the authentication server may
access the password file. In addition, it is possible to impersonate an authentication server, as MD5
authentication method does not perform mutual authentication. Finally, MD5 authentication method does
not support data encryption with dynamic session key. You must configure WEP encryption keys for data
encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless stations for mutual
authentication. The server presents a certificate to the client. After validating the identity of the server, the
client sends a different certificate to the server. The exchange of certificates is done in the open before a
secured tunnel is created. This makes user identity vulnerable to passive attacks. A digital certificate is an
electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a
Certificate Authority (CA) to handle certificates, which imposes a management overhead.
For added security, certificate-based authentications such as EAP-TLS use dynamic keys for data
encryption. They are often deployed in corporate environments, but for public deployment, simple user
name and password pair is more practical. The following table is a comparison of the features of two
authentication types used in the ZyAIR.