Configuring AAA for Network Users 415

IEEE 802.1X Extensible Authentication Protocol Types

Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authenti- cation mechanisms. EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers (IEEE). IEEE 802.1X is an encapsulated form for carrying authentication messages in a standard message exchange between a user (client) and an authenticator.

Table 28 on page 415 summarizes the EAP protocols (also called types or methods) supported by WSS Software.

Table 28: EAP Authentication Protocols for Local Processing

EAP Type

Description

Use

Considerations

 

 

 

 

EAP-MD5

Authentication algorithm

Wired authentication only1

This protocol

(EAP with Message

that uses a

 

provides no

Digest Algorithm 5)

challenge-response

 

encryption or key

 

mechanism to compare

 

establishment.

 

hashes

 

 

 

 

 

 

EAP-TLS

Protocol that provides

Wireless and wired

This protocol

(EAP with Transport

mutual authentication,

authentication.

requires X.509

Layer Security)

integrity-protected

All authentication is

public key

 

encryption algorithm

processed on the WSS

certificates on both

 

negotiation, and key

switch.

sides of the

 

exchange. EAP-TLS

 

connection.

 

provides encryption and data

 

 

 

integrity checking for the

 

 

 

connection.

 

 

PEAP-MS-

CHAP-V2

(Protected EAP with Microsoft Challenge Handshake Authentication Protocol version 2)

The wireless client authenticates the server (either the WSS switch or a RADIUS server) using TLS to set up an encrypted session. Mutual authentication is performed by MS-CHAP-V2.

Wireless and wired authentication:

The PEAP portion is processed on the WSS switch.

The MS-CHAP-V2 portion is processed on the RADIUS server or locally, depending on the configuration.

Only the server side of the connection requires a certificate.

The client needs only a username and password.

1. EAP-MD5 does not work with Microsoft wired authentication clients.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 415
Image 415
Nortel Networks 2300 manual Ieee 802.1X Extensible Authentication Protocol Types, EAP-MD5