Thursday, November 26, 2015

Authentication Methods for WiFi Networks - Part 2

Strong EAP Methods
  • Non Tunneled Methods
    • EAP-TLS
      • Needs certificate on both Server and Client side. Due to client side certificate requirement it is costly to implement.
      • Needs public key infrastructure(PKI).
      • Normally, it does not create tunnel to pass the client certificate to the server as tunnel is not required for passing the client certificate. However in privacy mode, a tunnel is created.
  • Tunneled Methods: In these methods, a TLS tunnel is established between authentication server and supplicant using server certificate. The purpose of establishing a tunnel is to protect the information provided by the supplicants. 
    • EAP-TTLS (defined in RFC 5281)
    • EAP-PEAPv0 (outer authentication) / EAP-MSCHAPv2 (inner authentication): Microsoft
    • EAP- PEAPv0 (outer authentication) / EAP-TLS (inner authentication): Microsoft
    • EAP-PEAPv1 (outer authentication) / EAP-GTC (inner authentication): Cisco
    • EAP-FAST: Cisco
      • Provides for mutual & tunneled authentication.
      • Instead of using standards based X.509 digital certificates, it uses Protected Access Credentials (PACs).
      • PACs can be automatically provisioned on the clients by the server or can be manually configured by the administrator.
      • PACs contain symmetric keys. Hence, EAP-FAST has advantage of performance when compared to methods using asymmetric keys.
      • In May 2009, Wi-Fi added EAP-FAST to the WPA2 interoperability certification.
  • These methods supports mutual authentication. i.e. both authentication server and supplicant are validated. 
  • In tunneled methods, supplicant has two identities (outer and inner). The outer identity is effectively a bogus user name and inner one is the true identity. The outer identity is seen is clear text as it is prior to setting encrypted tunnel however, inner identity is sent within the tunnel. 
  • EAP-PEAPv0 / EAP-MSCHAPv2 is most popular among tunneled methods as Microsoft was the dominant player in both server and client operating system.
  • EAP-PEAP cam after EAP-TTLS but size of Microsoft & Cisco enables it to surpass TTLS.
  • PEAP is often referred as "EAP inside EAP"
  • Microsoft OS does not provide support for EAP-PEAPv1. 
  • EAP-TTLS supports just about anything for inner authentication whereas EAP-PEAP is very selective. Methods such as legacy methods PAP, CHAP, MS-CHAP and MS-CHAPv2 and also the EAP-Protocols e.g. EAP-MSCHAPv2 are supported are supported in EAP-TTLS. But support of EAP-TTLS is much smaller than EAP-PEAP.


    • Designed for 2G (GSM) networks.
    • It does not offer mutual authentication.
    • Designed for 3G (UMTS & CDMA2000) networks.
    • Supports mutual authentication.

  • EAP-TLS vs TLS
    • TLS (SSL3.0) secure communication at the transport layer of the OSI model however, EAP-TLS works at L2 layer.

No comments:

Post a Comment