EAP Over LAN 802.1X Flashcards
Supplicant
Software on the endpoint that communicates with EAP at Layer-2. This software responds to the authenticator and provides the identity credentials with the EAP communication
Authenticator
The network device that controls physical access to the network based on the authentication status of the endpoint. The authenticator acts as the middleman taking Layer-2 EAP communication from the supplicant and encapsulating it in RADIUS directed at the active authentication server. Example Switches and WLC
Authentication Server
The server that is performing the actual authentication of the client. The authentication server validates the identity o the endpoint and provides the authenticator with the result, such as accept or deny
True or False. The supplicant communicates with the Authenticator using EAP
True. The authenticator simply takes unmodified EAP frame and encapsulates it within the RADIUS packet sent to the authentication server and authorizes the port if the authentication server tells it to
Two major types of EAP
Native EAP type
Tunneled EAP types- tunneled EAP type simply uses a nontunneled EAP inside a Transport Layer Security tunnel between the supplicant and the authenticator
Native EAP
EAP-MD5
EAP-TLS
EAP-MSCHAPv2
EAP-GTC
EAP-MD5
uses a message-digest algorithm to hide the credentials in a HASH. The HASH is sent to the server where it is compared to the local hash to see whether the credentials were accurate.
However, EAP-MD5 does not have a mechanism for mutual authentication. That means the server is validating the client, but the client does not authenticate the server
EAP-TLS
An EAP type that uses TLS to provide a secure identity transaction.
EAP-TLS uses X.509 certificates and provides the ability to support mutual authentication, where the client must trust the server’s certificate and vice versa.
EAP-TLS has the benefit of being an open IETF standard and is considered to be universally supported
EAP-MSCHAPv2
An EAP type in which the client’s credentials are sent to the server encrypted with an MSCHAPv2 session.
This allows for simple transmission of username and password, or even computer name and computer passwords, to the RADIUS server, which in turn authenticates them to Active Directory
EAP-GTC
created by Cisco as an alternative to MSCHAPv2 that allow generic authentication to virtually any identity store including OTP token server, LDAP, Novell E-Directory and more
Types of Tunneled EAP
PEAP (Protected EAP)
EAP-FAST
PEAP
PEAP forms a potentially encrypted TLS tunnel between the client and server using the x.509 certificate on the server in much the same way the SSL tunnel is established between a web browser and a secure website. After the tunnel has been formed, PEAP uses another EAP type as an “inner method,” authenticating the client using EAP within the outer tunnel
EAP-MSCHAPv2 inner method
using this inner method, the client’s credentials are sent to the server encrypted within an MSCHAPv2 session
EAP-GTC inner method
created by Cisco as an alternative to MSCHAPv2 that allow generic authentication to virtually any identity store including OTP token server, LDAP, Novell E-Directory and more
EAP-TLS inner method
An EAP type that uses TLS to provide a secure identity transaction.
EAP-TLS uses X.509 certificates and provides the ability to support mutual authentication, where the client must trust the server’s certificate and vice versa.
EAP-TLS has the benefit of being an open IETF standard and is considered to be universally supported