N o t e

N o t e

Access Control Concepts

Network Access Control Technologies

MS-CHAPv2

The most common version of CHAP used in contemporary networks is MS- CHAPv2. MS-CHAPv2 builds on the basic CHAP process, but adds several capabilities. First, MS-CHAPv2 provides mutual authentication, which pro- tects users and their credentials from hackers that pose as legitimate servers.

MS-CHAPv2 also enables more sophisticated controls over the authentication process. For example, the authentication server can limit the number of times an endpoint can attempt to authenticate. It can also force users to periodically change their passwords and explain to users why their authentication failed.

EAP

EAP establishes a standardized framework for authentication protocols. The first EAP request and response packets initiate the authentication process. Subsequent packets are EAP method packets, which essentially encapsulate other authentication protocols. (When selecting an EAP type, you must ensure that both the RADIUS server and the 802.1X supplicant that runs on the endpoint support that EAP type. For more information about supplicants, see “Authentication Requirements” on page 1-23.

You will probably use EAP in an Ethernet network; this particular brand of EAP is more precisely called EAP over LAN (EAPOL). However, this design guide follows common usage and refers simply to EAP.

Because EAP can encapsulate any authentication protocol as an EAP method, it provides flexibility. New methods can be developed to meet new needs; all methods fit within the standard framework, so you can choose the ones that meet your security requirements.

EAP methods range from relatively insecure to very secure and from simple to complex to deploy. You should familiarize yourself with the most common EAP methods, all of which are non-proprietary, so that you can make informed choices for your network.

Although EAP can encapsulate any authentication protocol, only the proto- cols that pass Internet Assigned Numbers Authority (IANA) screening are designated as registered EAP methods and assigned a standard EAP number. As of early 2007, IANA recognized more than 40 EAP registered authentication protocols. Many of these are vendor-specific protocols that implement propri- etary authentication schemes.

1-25

Page 39
Image 39
HP Access Control Client Software manual MS-CHAPv2, Eap