EAP-TLS uses certificates and PKI for mutual authentication between clients and RADIUS servers, requiring client and server certificates that must be managed. EAP-FAST establishes a secure tunnel using dynamically generated PACs instead of certificates. PEAP provides one-way authentication from server to client using a server certificate, allowing different inner authentication methods like EAP-GTC and EAP-MSCHAPv2 without client certificates. Cisco LEAP authenticates users via a username and password with dynamic WEP keys.

1. WLAN Security Describing EAP Authentications

2. Symmetric Keys

3. Asymmetric Keys

4. Digital Signature

5. Trusted Third Party

6. Certificates

7. PKI

8. EAP-TLS Client support Windows 2000, XP, Vista and Windows CE (natively supported) Linux, Mac AirPort Extreme Each client requires a user certificate Infrastructure requirements EAP-TLS-supported RADIUS server RADIUS server requires a server certificate Certificate Authority server (PKI Infrastructure) Certificate management Both client and RADIUS server certificates to be managed

9. EAP-TLS (Cont.)

10. EAP-FAST Considered in three phases: Protected Access Credentials (PAC) is generated in phase zero (Dynamic PAC provisioning) Unique shared credential used to mutually authenticate client and server Associated with a specific user-ID and an Authority ID Removes the need for PKI A secure tunnel is established in phase one Client is authenticated via the secure tunnel in phase two

11. PAC Creation PAC consists of PAC-Key PAC-Opaque PAC-Info Server Generates a PAC-Key PAC-Opaque and PAC-Info The PAC-Opaque contains PAC-Key Client user identity (I-ID) Key lifetime PAC-Opaque is encrypted with Master-Key PAC-Info contains the Authority Identity (A-ID)

12. PAC Exchange

13. EAP-FAST Authentication

14. PEAP Hybrid authentication method Server side authentication with TLS Client side authentication with EAP authentication types EAP-GTC EAP-MSCHAPv2 Clients do not require certificates RADIUS server requires a server certificate RADIUS server self-issuing certificate capability Purchase a server certificate per-server from public PKI entity Setup a simple PKI server to issue server certificates Allows for one-way authentication types to be used One-time passwords Proxy to LDAP, Unix, Microsoft NT and Active Directory, Kerberos

15. PEAP Authentication

16. LEAP Cisco WLAN security solution User authentication via user ID and password Single login using Windows NT/2000 Active Directory Dynamic WEP keys and mutual authentication Key integrity protocol/message integrity recommended Simplified deployment and administration Supports multiple operating systems Windows, Mac OS, Windows CE, DOS, and Linux Strong password policy recommended

17. LEAP Authentication

18. Summary Certificates are public keys; they allow both authentication and encryption. EAP-TLS is an authentication mechanism built upon certificate exchange. EAP-FAST aims at providing the same level of security without certificates. PEAP requires a certificate on the server but not on the client. There are many other EAP types, such as Cisco LEAP.