How does Passwordless EAP(Extensible Authentication Protocol) operate?

 

How does PASSWORD less EAP (Extensible Authentication Protocol) work?

Overview of 802.1 x

802.1 x is a port access protocol to protect networks through authentication. As a result, this type of authentication method is extremely useful in the Wi-Fi environment due to the nature of the media. If a Wi-Fi user authenticates over 802.1 X to access the network, a virtual port is opened on the access point, allowing communication. If not authorized correctly, a virtual port is not made available and communications are blocked.

There are three basic pieces for 802.1 X authentication:

1.                  Applicant A software client running on the Wi-Fi workstation.

2.                  Authenticator The Wi-Fi access point.

3.                  Authentication server An authentication database, typically a RADIUS server, such as Cisco ACS*, steel belt funk* or Microsoft IAS*.

Expandable Authentication Protocol (EAP) is used to pass authentication information between the requester (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). The EAP type actually controls and defines authentication. The access point that acts as an authenticator is just a proxy that allows the requester and the authentication server to communicate.

What should I use?

The type of EAP to deploy, or whether 802.1 X is deployed, depends on the level of security your organization needs, the administrative overhead, and the features you want. Fortunately, the descriptions here and a comparative chart will lighten the difficulties of understanding the variety of EAP types available.

Expandable Authentication Protocol Authentication Types (EAP)

Because Wi-Fi LOCAL Area Network (WLAN) security is essential and EAP authentication types provide a potentially better means of securing the WLAN connection, providers quickly develop and add EAP authentication types to their WLAN access points. Some of the most common EAP authentication types include EAP-MD-5, EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, and Cisco LEAP.

1.                  The EAP-MD-5 (Message Synthesis) challenge is a type of EAP authentication that provides entry-level EAP support. Typically, EAP-MD-5 is not recommended for Wi-Fi LAN deployments because it can allow the user's password to be derived. It is provided for one-way authentication: there is no mutual authentication of the Wi-Fi client and the network. And very importantly, it does not yet provide a means to derive dynamic wired equivalent privacy (WEP) keys per session.

• TRANSPORT Layer Security (EAP-TLS) provides mutual, certificate-based authentication of the client and network. It relies on client and server certificates to perform authentication and can be used to dynamically generate WEP keys user-based and session-based in order to secure subsequent communications between the WLAN client and the access point. One drawback of EAP-TLS is that certificates must be managed on both the client and server. In the case of a large WLAN installation, this could be a very complex task.

1.                  EAP-TTLS (Tunnel Transport Level Security) was developed by Funk software* and Certicom*, as an extension of EAP-TLS. This security method enables mutual authentication based on client and network certificates over an encrypted channel (or tunnel), as well as a means to derive dynamic WEP keys per user and session. Unlike EAP-TLS, EAP-TTLS only requires server certificates.

2.                  EAP-FAST (Flexible Authentication Through Secure Tunnels) was developed by Cisco*. Instead of using a certificate to achieve mutual authentication. EAP-FAST is authenticated using a PAC (Protected Access Credential) that can be dynamically managed by the authentication server. The PAC can be provisioned (distributed once) on the client, either manually or automatically. Manual provisioning is delivered to the client through a disk or secure network distribution method. Automatic provisioning is an in-band, air-to-air distribution.

3.                  The extensionable authentication protocol method for GSM Subscriber Identity (EAP-SIM) is a session key authentication and distribution mechanism. It uses the global mobile communications (GSM) subscriber identity module (SIM). EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt the data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card used in digital cellular networks based on the global system for mobile communications (GSM).

1.                  EAP-AKA (Expandable Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and distribution of session keys, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card that is used with mobile networks to validate a particular user with the network.

2.                  LEAP (Lightweight Expandable Authentication Protocol) is a type of EAP authentication that is primarily used on Cisco Aironet* WLANs. Encrypts data transmissions using dynamically generated WEP keys and supports mutual authentication. Heretofore property, Cisco has granted a leap to a variety of other manufacturers through its Cisco Compatible Extensions program.

3.                  PEAP (Expandable Authentication Protected Protocol) provides a method for transporting authentication data securely, including legacy password-based protocols, over 802.11 Wi-Fi networks. PEAP accomplishes this by using tunnels between PEAP clients and an authentication server. Like competitive tunneling layer (TTLS) security, PEAP authenticates Wi-Fi LAN clients using only server certificates, simplifying the deployment and management of a secure Wi-Fi LAN. Microsoft, Cisco, and RSA Security developed PEAP.

EAP Authentication Exchange Process

1.- The authentication server sends an Authentication Request to the client, the Request message has a Type field, in which the client must respond which is what it is requesting, the existing types are: Identity, Notification, Nak, MD5-Challenge, One-Time Password (OTP), Generic Token-Card (GTC), Expanded Types and Experimental.

2.- The client sends a Response packet to the server. As in the Request package, the Response package contains a Type field, which corresponds to the Type field in the Request package.

3.- The authentication server sends an additional Request packet, to which the client sends a Response. The Request and Response sequence continues as needed. As mentioned, EAP is a lock-step protocol, so you cannot send the next packet without receiving a valid one before. The server is responsible for transmitting retransmission requests, such methods are described in the EAP RFC, RFC 3748. After a number of retransmissions, the Server MAY terminate the EAP conversation. The server CANNOT send a Success or Failure packet when it is retransmitted or when it fails to receive a response to those packets from the client.

4.-The conversation continues until the server cannot authenticate the client, and in that case the server MUST transmit a Failure message. Alternatively, the authentication conversation can continue until the server determines that successful authentication has been met, for that case, the server MUST send a Success packet.