Using EAP Types
EAP is a component of an 802.1x network. EAP is designed to create a mechanism to provide authentication types that leverage existing authentication, authorization, and accounting (AAA) solutions. EAP messages can be transferred from the 802.1x supplicant to the authenticator or authentication server. The communication between the authenticator to the authentication server, such as Cisco ACS, is performed with RADIUS messages. These RADIUS messages are often transported over User Datagram Protocol (UDP). EAP is defined in RFC 2284, "PPP Extensible Authentication Protocol (EAP)." Examples of EAP types include the following:
EAP MD5—EAP MD5 supports one-way authentication, similar to Challenge Handshake Authentication Protocol (CHAP). CHAP is defined in RFC 1994 and uses a shared secret for authentication. The authenticator can receive an MD5 hash derived from the shared secret in order to verify the validity of the authentication request.
EAP Transport Layer Security (TLS)—EAP TLS uses digital certificates
LEAP—Wireless EAP supports mutual authentication
Protected EAP (PEAP)—PEAP was coauthored by Microsoft and Cisco. Microsoft Windows also includes a native PEAP supplicant. PEAP can also be used for Layer 3 NAC, or NAC with the authentication client on an IOS router. PEAP also supports both MSCHAPv2 and Generic Token Card (GTC). MSCHAPv2 is Microsoft CHAP version 2 and implements addition support for changing passwords. Microsoft’s Active Directory is an example of a directory that supports the MSCHAPv2 protocol for authentication. GTC allows authentication to be based upon one-time passwords and logon passwords and does not require a directory to support MSCHAPv2.
EAP FAST—EAP FAST is the EAP type for Layer 2 NAC (authentication client on a Catalyst LAN switch) with 802.1x (NAC-L2-802.1x). EAP FAST is also good on wireless networks since EAP FAST is tunneled LEAP.
The following sections describe each type of EAP in more detail.
EAP MD5 is one of the simplest authentication mechanisms. EAP MD5 uses one-way authentication, which means that only the supplicant has to provide authentication to the authenticator. In other words, the supplicant is not protected from a rogue authenticator. EAP MD5 is not the best choice for wireless LANs because it is a one-way authentication protocol. EAP MD5 uses the MD5 hash that was originally defined in 1992. Microsoft Windows XP contains a native EAP MD5 802.1x supplicant and uses a password on the end-user workstation.
EAP Transport Layer Security (TLS) uses digital certificates for user authentication and key generation. TLS uses both the certificate of the client and authentication server to implement mutual authentication. EAP TLS verifies that the user possesses an RSA key pair that is signed in the certificate. EAP TLS generates a unique key per session for each user. EAP TLS is defined in RFC 2716, "PPP EAP TLS Authentication Protocol."
LEAP is an EAP type designed to authenticate users attempting gain access to a wireless network. LEAP can use Cisco ACS as the authentication server. LEAP provides a secure wireless connection and promotes a unique session key for encryption for each user. The Cisco Aironet Client contains a LEAP supplicant for 802.1x wireless networks.
PEAP was designed to provide a more secure or protected form of EAP as an alternative to EAP MD5. PEAP is supported by Microsoft and provides a protected EAP for authentication on both wireless networks and LANs. PEAP uses digital certificates on the server-side to provide secure and encrypted authentication. PEAP can use EAP GTC to provide two-factor user authentication with one-time passwords. PEAP can also use MSCHAPv2 to provide a unique session key without the overhead of a client-side digital certificate solution.
PEAP is a popular EAP type on 802.1x networks today because it enables a Microsoft machine with an 802.1x supplicant to authenticate on both wireless and wired (Ethernet LAN) networks. The popularity of PEAP can also be attributed to the fact that Microsoft XP contains a native PEAP 802.1x supplicant. PEAP MSCHAPv2 in addition to EAP TLS described earlier are two EAP types that support Windows machine authentication.
EAP FAST is a technology that can use Cisco ACS as the authentication server. EAP FAST allows the EAP protocol to be transmitted over a secure, encrypted TLS tunnel. EAP FAST is also highly secure through the use of strong secrets, or Protected Access Credentials (PAC). Cisco ACS uses a master key to generate these credentials. PACs can be provisioned both in-band and out-of-band for the authentication process.
In addition to being a strong security solution, EAP FAST can be a higher-performing solution than some of the other EAP protocols because EAP FAST can use shared secrets rather than more resource-intensive mechanisms, like digital certificates or public key infrastructure (PKI). EAP FAST can be an attractive candidate for embedded devices with low processor power since it does not have to process digital certificates. EAP FAST can be used in Layer 2 or LAN switch NAC deployment. EAP FAST can also be used for 802.1x authentication to both wired and wireless networks.