HP Access Control Client Software manual Access Control Concepts

Access Control Concepts

Network Access Control Technologies

EAP-Message Digest 5 (MD5). EAP-MD5 is a base-level authentication protocol similar to CHAP; for credentials, an endpoint submits a one-way hash of a random challenges and its password.

This method has the advantage of simplicity, which makes implementation and configuration straightforward. But, like CHAP, it is vulnerable to:

■Automated cracking tools and dictionary attacks

■Attackers that pose as the authentication server and steal credentials

Thus, EAP-MD5 affords only a low level of protection and is not regarded as suitable for wireless networks. Another reason this method is unsuitable for wireless networks is that it does not provide material necessary for generating encryption keys and securing the connection.

Lightweight EAP (LEAP). A Cisco proprietary EAP method, LEAP authen- ticates users by means of passwords; it also provides keying material, which is important for wireless networks. However, although LEAP provides mutual authentication, it is vulnerable to man-in-the-middle attacks and is not recom- mended.

EAP-TLS (Transport Level Security). EAP-TLS is highly secure because it uses public key infrastructure (PKI) digital certificates for authentication credentials. It also provides mutual authentication: both the supplicant and the server must possess valid certificates.

EAP-TLS is impervious to the attacks that affect EAP-MD5 but can be difficult to implement. Managing significant numbers of certificates requires special- ized software and human expertise, which makes EAP-TLS substantially more expensive than password-based methods.

EAP-Tunneled TLS (TTLS). Created by Funk Software as an extension to EAP-TLS, EAP-TTLS removes the obstacle of certificate management.

Like EAP-TLS, EAP-TTLS enforces mutual authentication. But with EAP- TTLS, only authentication servers, not supplicants, authenticate with digital certificates, reducing the number of necessary certificates perhaps a thousandfold. For this reason, EAP-TTLS is significantly easier to deploy than EAP-TLS.

Although supplicants authenticate with usernames and passwords, EAP-TTLS preserves much of the security of EAP-TLS by establishing a two-step proce- dure for tunneling those credentials.

1-26