Access Control Concepts
Network Access Control Technologies
In the first step—the initial TLS handshake—the server authenticates to the supplicant. The two devices use the public key in the server certificate to exchange cipher keys and create a symmetric encryption tunnel. In the second step—the secondary handshake—the supplicant submits credentials over the secure tunnel using a secondary authentication protocol.
The secondary protocol can be another EAP method, but is typically a form of the RADIUS CHAP/PAP protocols (see “RADIUS” on page 1-28). You can use a relatively insecure—but easy to implement—secondary protocol because the tunnel secures the messages.
The encryption tunnel is maintained only for the duration of the secondary handshake; once the handshake is complete, the tunnel is destroyed.
Protected EAP (PEAP). PEAP is Microsoft’s extension of EAP-TLS and is very similar to EAP-TTLS. Like EAP-TTLS, PEAP uses a two-step authentication architecture, in which the supplicant and server create a symmetric tunnel over which the supplicant then sends its credentials.
Unlike EAP-TTLS, EAP-PEAP does not support the RADIUS CHAP/PAP pro- tocols; it generally supports MS-CHAPv2 instead. The level of security, how- ever, is approximately the same.
EAP-Subscriber Identity Module (SIM). A SIM is a smart card installed on a mobile device, which stores the device’s unique International Mobile Subscriber Identity (IMSI) and authentication key (Ki). The SIM uses the IMSI and Ki to authenticate, in a secure manner, to an authentication server, authentication server, which has access to a database of legitimate IMSIs and the corresponding Kis. The SIM might also negotiate encryption keys with the authentication server to secure future transmissions.
EAP-SIM is primarily used as a secure authentication method for headless devices such as wireless phones.
EAP-Generic Token Card (GTC). While EAP-GTC is similar in design to EAP-MD5, this method was originally designed to work with token cards, devices that store one-time passwords (OTPs), which are less susceptible to cracking than traditional, static passwords. However, EAP-GTC can be used with a traditional password, in which case it is vulnerable to many of the attacks to which EAP-MD5 is also prey. In contemporary networks, EAP-GTC is most often used as the inner protocol for EAP-TTLS or PEAP.
