 |
» |
|
|
|
Choose
EAP methods based on your security requirements and the clients
you support. First, create an inventory of the clients you support. Clients
need specific supplicant software for each EAP method (LAN access
devices must only support EAP). For wireless clients, you must use
supplicants that support the hardware platforms, operating systems, and
WLAN cards in your environment. Ideally, you should try to use client
hardware and software that allows you to use one EAP method for all
your clients. This may mean avoiding solutions that are proprietary or
support only a small variety of clients. Next, determine which of the following features are important
to you: Dynamic
Key Exchange—Distributes a user-specific encryption key to
the client and access device during the authentication process. Without
this feature, all clients must share the same static encryption
key. Mutual Authentication—Protects
against unauthorized (rogue) access devices by allowing clients
to authenticate the network they are connecting to. Password-based Authentication—Clients
provide a password to authenticate to the network. Typically the
password is sent to the server in a hashed (one-way encrypted) form.
If you are integrating with an existing password storage format,
be sure the EAP method you chose is compatible with the password
storage format. For the most flexibility, choose an EAP method that
allows the HP-UX AAA Server to access the password in clear text
(for example, the PAP password format). Storing passwords in clear
text requires you to use EAP methods that encrypt the channel between
the client and the access point (like TTLS or PEAP). Digital Certificate/Token
Card-based Authentication—Uses a token card, smart card,
or digital certificate assigned to each user for authentication.
This feature must be deployed in an environment with supporting
infrastructure—for example, an organization with a PKI
and user-specific certificates. Encrypted Tunnel—Establishes
an encrypted channel to securely deliver authentication messages
and encryption keys. The encrypted tunnel encapsulates another EAP
method that provides the actual user authentication. Encrypted tunnels
are good for securing authentication methods that are vulnerable
when not encapsulated in an encrypted tunnel.
Table 13-2 “Supported EAP Methods and Their Features” lists the EAP methods
the HP-UX AAA Server supports and which of the above features each
method offers. Use the table and your inventory information to help
decide which EAP method to use. Table 13-2 Supported EAP Methods and Their Features EAP Method | Feature | Description |
|---|
TTLS | 1, 2, 3, 5 | Tunneled TLS: Can carry additional
EAP or legacy authentication methods like PAP and CHAP. Integrates
with the widest variety of password storage formats and existing
password-based authentication systems. Supplicants available for
a large number of clients | | PEAP | 1, 2, 5 | Protected EAP: Functionally very similar
to TTLS, but does not encapsulate legacy authentication methods. | | TLS | 1, 2, 4, 5 | Transport Layer Security: Uses
TLS (also known as SSL) to authenticate the client using its digital certificate.
Note: some supplicants require specific extensions to support certificates
for EAP. | | MD5 | 3 | Message Digest 5: Passwords are hashed
using the MD5 algorithm. Can be deployed for protecting access to
LAN switches where the authentication traffic will not be transmitted
over airwaves. Can also be safely deployed for wireless authentication
inside EAP tunnel methods (see feature 5 above). | | MSCHAP | 2, 3 | Microsoft Challenge Handshake Accept
Protocol: Passwords
are hashed using a Microsoft algorithm. Can be deployed for protecting
access to LAN switches where the authentication traffic will not
be transmitted over airwaves. Can also be safely deployed for wireless
authentication inside EAP tunnel methods (see feature 5 above). | | LEAP | 1, 2, 3 | Lightweight EAP: For Legacy Cisco equipment
only. | | GTC | 4 | Generic Token Card: Carries user specific
token cards for authentication. |
| | | |  | NOTE: If you are using TLS, TTLS, or PEAP, be sure you configure
the required digital certificates after you configure all your realms. | | | | |
|
Printable version
