Extensible Authentication Protocol (EAP)
802.1X is a standard for port-level security that the IEEE ratified and updated several times. This ratification was initially intended to standardize security on wired network ports, but it was also found to be applicable to wireless networking.
Extensible Authentication Protocol (EAP) is a Layer 2 (MAC address layer) security protocol that exists at the authentication stage of the security process and, coupled with the security measures discussed thus far, provides a third and final layer of security for your wireless network. Using 802.1X, when a device requests access to the AP, the following steps occur with EAP:
1. The access point requests authentication information from the client.
2. The user then supplies the requested authentication information.
3. The AP then forwards the client supplied authentication information to a standard RADIUS server for authentication and authorization.
4. Upon authorization from the RADIUS server, the client is allowed to connect and transmit data.
Note
Not everyone has a RADIUS server that is ready to use LEAP; however, Cisco APs can be configured with a feature called local AAA Authentication on a per-user basis. This enables the user database to reside in the AP instead of RADIUS and works well if you have only a limited number of users.
More than a dozen different types of EAP are available, making for a complicated set of choices. The four most commonly used EAP methods in use today follow:
• Lightweight Extensible Authentication Protocol (LEAP)
• EAP-TLS (Transport Layer Security)
• EAP-PSK (Pre-Shared Key)
• EAP-TTLS (Tunneled Transport Layer Security)
The following sections provide a quick overview of each EAP method.
LEAP
EAP-Cisco Wireless, or LEAP as it is more commonly known, is a standard developed by Cisco with the 802.1X standard and is the basis for much of the ratified version of EAP. Like EAP-MD5, LEAP accepts a username and password from the wireless device and transmits them to the RADIUS server for authentication. Cisco added additional support beyond what the standard required, resulting in several security benefits as follows:
• LEAP authenticates the client; one-time WEP keys are dynamically generated for each client connection. This means that every client on your wireless network is using a different dynamically generated WEP key that no one knows—not even the user.
• LEAP supports a RADIUS feature called session timeouts, which requires clients to log in again every few minutes. Fortunately, this is all handled without the user needing to do anything. Couple this feature with dynamic WEP keys, and your WEP keys change so often that attackers have a difficult time determining the key.
• LEAP conducts mutual authentication from client-to-access point and access point-to-client; this stops attackers from introducing rogue APs into your network.
There is a known limitation to running LEAP. MS-CHAPv1 is used for both the client and AP authentication and is known to have vulnerabilities; definitely look at alternatives to anything Microsoft thinks is secure. LEAP can be cracked with asleap, written by Joshua Wright and available at www.willhackforsushi.com, so you might want to consider stronger wireless security than LEAP.
Note
Extensible Authentication Protocol (EAP) is a widely used method of authenticating; EAP is more of a format than a process. With EAP as the framework, many additional authentication methods are built upon it.
EAP-TLS
Microsoft developed EAP-TLS, which is outlined in RFC 2716. Instead of username/password combinations, EAP-TLS uses X.509 certificates to handle authentication. EAP-TLS relies on transport layer security to pass PKI information to EAP. Like LEAP, EAP-TLS offers the following:
• Dynamic one-time WEP key generation
• Mutual authentication of the client and the network
The drawbacks of EAP-TLS include the following:
• PKI is required to use EAP-TLS; however, most companies do not deploy PKI.
• Microsoft Active Directory with a certificate server can be used; however, change is difficult in this model.
• If you use Open LDAP or Novell Directory Services, you need a RADIUS server; again, not everyone has immediate access to one.
• If you have implemented PKI using VeriSign certificates, all the fields required by EAP-TLS are not present.
Unless you are ready to follow the implementation of EAP-TLS exactly as Microsoft has laid it out, you should probably look for another method.
EAP-PSK
Pre-Shared Keys (PSK) are a part of this EAP method of authentication that was designed for use in wireless networks. When using EAP-PSK, an encrypted method of communicating is used, via AES, to ensure the integrity and authentication is successful.
EAP-TTLS
Funk Software (now part of Juniper Networks) pioneered EAP-TTLS as an alternative to EAP-TLS. The wireless access point still identifies itself to the client with a server certificate, but the users now send their credentials in username/password form. EAP-TTLS then passes the credentials in any number of administrator-specified challenge-response mechanisms (PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card, or EAP). The only challenges to EAP-TTLS are
• They are slightly less secure than dual certificates of EAP-TLS.
• Protected EAP (PEAP) is the newer version championed by Cisco, RSA, and Microsoft.