본문 바로가기
조회 수 1919 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print

http://www.interlinknetworks.com/2007/10/selecting-8021x-eap-method-access-point.html


Selecting an 802.1X EAP Method: Access Point Considerations


In the last RADIUS server blog posting, we embarked on the daunting task of securing access to a wireless network with a RADIUS server.  This led us to 802.1X and the Extensible Authentication Protocol, EAP, which is at the heart of best practices for wireless network access management.Because of EAP’s extensible nature, we discussed that there are not only several network components to consider in securing the wireless network, but also many EAP Methods (protocols) from which to choose and configure in your clients and RADIUS server.  In evaluating the currently available EAP Methods, we are examining factors involving each component of the wireless network.  Because they provide the wireless connectivity, Access Points (APs) are the first and primary component that most enterprises evaluate.  We will follow suit by looking at access point issues related to supporting wireless network access management using EAP.

802.1x Support

The most important AP feature necessary for wireless access management is support for 802.1x.  This should be a requirement for enterprise wireless networks.  One cannot take this feature for granted since it is generally not available on low cost consumer access points.  802.1x is the IEEE standard for Port Based Network Access Control Included in this specification is the use of EAP for authentication.  If an Access Point supports 802.1x, then it supports EAP.


WEP (Wired Equivalent Privacy) is another term frequently found on AP datasheets.  While WEP based encryption is found often on APs using 802.1x, by itself it is not sufficient indication that EAP is supported.  Many implementations authenticate by configuring static WEP keys.  If the workstation can communicate by virtue of having the correct key, then it is authenticated.  802.1x was designed to overcome the numerous shortcomings of WEP key based authentication by authenticating user access through a RADIUS server.  Additionally, WPA/TKIP has been developed to solve the problems of WEP’s poor encryption and data integrity.


Some Access Point datasheets will mention support for RADIUS.  While RADIUS is used to transport EAP between the Access Point and the Authentication Server, it does not necessarily mean that the AP supports EAP.  Some APs perform MAC address authentication with a RADIUS server.This form of authentication falls short of EAP’s ability to provide mutual authentication, authentication of the actual user, and session encryption keys with a RADIUS server.

Once it is determined that the AP supports 802.1x, then the next question is which EAP Methods are supported.  The EAP authentication is conducted between the Supplicant (wireless device) and the RADIUS Server (Authentication Server).  It is carried over EAPOL on the wireless side of the AP and over RADIUS on the network side of the AP.  The AP only serves to relay the EAP packets, not to participate in the protocol.  Therefore, any AP that supports 802.1x should be able to support all EAP methods.  In practice, this is generally true.  There have been exceptions found during interoperability tests, but these have been determined to be bugs that the AP vendors are expected to fix.

Proprietary EAP Methods

The one exception to the rule of thumb that all EAP Methods should be supported by all 802.1x APs is Cisco’s proprietary EAP-LEAP (Lightweight Extensible Authentication Protocol).  It is only supported by APs, supplicants, and authentication servers that have licensed Cisco’s technology.  LEAP makes use of Cisco’s vendor-specific attributes (VSAs) to distribute key material.  The access point must support the Cisco VSAs and the LEAP algorithm for generating session keys from the key material.Because Cisco is a networking leader, LEAP has gained acceptance.  Other vendor’s supplicants and authentication servers support LEAP – but if an enterprise wants to standardize on LEAP, then it must use Cisco APs.

Accounting Support

Although it is not a requirement for EAP, it should be noted that some access points do not support RADIUS accounting.  This is an issue for ISPs and Wi-Fi hotspot venfors and less of an issue for enterprises that aren’t invoicing for wireless network access. However, all users might still want to implement audit trails and policies which require RADIUS accounting messages to mark the beginning and end of sessions.

Configuring EAP in the Access Point

Configuring EAP in an access point consists of four straightforward steps:

1.  Enabling 802.1x, often by checking a box on a web form

2.  Entering the authentication server’s IP address

3.  Entering the authentication server’s port number (usually 1812)

4.  Entering the secret shared with the authentication server


In conclusion, beyond the need to support 802.1x, the access point does not need to be a determining factor in which EAP Method to choose.  The key is recognizing which access points support 802.1x.  From there, enabling 802.1x and configuring communication with the authentication server is fairly straightforward.  There is no need to configure a specific EAP method within the access point.


Choosing and configuring an EAP Method becomes more involved as we look at the supplicant and RADIUS server (authentication server in upcoming blog posts.



Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
92 프로토콜 맵(MAP) file Hojung 2007.11.24 9560
91 유용한 tcpdump 필터 옵션 Hojung 2008.09.05 12155
90 웹브라우저에서 인증서 보안경고 후 계속 진행시 다시 액세스함 file Hojung 2012.12.24 6258
89 왜 128비트 SSL인증서를 사용해야 하는가? Hojung 2007.11.21 10102
88 브릿지/스위치 차이점 Hojung 2007.11.23 7889
87 브릿지/스위치 기본 동작 Hojung 2007.11.23 8392
86 네트워크 전송계층의 트러블슈팅 가이드 file Hojung 2007.11.24 9864
85 국내 통신사별 DNS 주소 Hojung 2009.06.02 8248
84 각종 매체의 전송 속도표 Hojung 2008.01.08 7470
83 [switch vs bridge]9탄 - STP 대모험(1) Hojung 2007.12.04 6586
82 [switch vs bridge]8탄 - Broadcast Storm 경보발령! Hojung 2007.12.04 10968
81 [switch vs bridge]7탄 - 5대 공약!! 이것만은 지킨다 Hojung 2007.12.04 6645
80 [switch vs bridge]6탄 - ARP도 알려주세요! Hojung 2007.12.04 6547
79 [switch vs bridge]5탄 - Cast가 뭐지? Hojung 2007.12.04 6191
78 [switch vs bridge]4탄 - MAC Address가 뭔가요? Hojung 2007.12.04 9056
77 [switch vs bridge]3탄 - IEEE802.2 에 대해서 알아보자! Hojung 2007.12.04 7239
76 [switch vs bridge]2탄 - 둘의 차이와 생김새가 궁금해요 file Hojung 2007.12.04 13224
75 [switch vs bridge]12탄 - STP 대모험(최종판) Hojung 2007.12.04 6268
74 [switch vs bridge]11탄 - STP 대모험(3) Hojung 2007.12.04 6302
73 [switch vs bridge]10탄 - STP 대모험(2) Hojung 2007.12.04 6492
Board Pagination ‹ Prev 1 2 3 4 5 Next ›
/ 5

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5