Wireless Security | Part 2
Prerequisite – Wireless Security | Set 1
Four types of Extensible Authentication Protocol (EAP) authentication methods are –
1. LEAP 2. EAP-FAST 3. PEAP 4. EAP-TLS
These are explained as following below.
- Lightweight Extensible Authentication Protocol (LEAP) –
In order to eliminate the weakness of of WEP, CISCO introduces a proprietary wireless authentication method called LEAP. To authenticate the client must provide username and password credentials, then both client and Access Point (AP) exchanges encrypted challenge phrase. Access is provided to client if encrypted challenge phrase matches. LEAP uses Dynamic key to encrypt phrase unlike WEP that uses static key. But later it was found vulnerable, so LEAP has since been deprecated. Nowadays although wireless devices may offer LEAP but you should not use it.
- EAP-FAST –
Further CISCO introduced a more secure method than LEAP called EAP Flexible Authentication with secure Tunneling (EAP-FAST). In this method authentication credentials are secured by passing a protected access credential (PAC) between AS and client. PAC is a sort of shared secret generated by Authentication server, used for mutual authentication.
It is series of three phases.
PAC is generated and installed on clients.
Upon mutual authentication, client and Authentication server negotiate a transport layer security (TLS) tunnel.
For additional security, clients are then authenticated through TLS tunnel.
It is noticeable that two separate authentication process occur here. One between AS and client called outer authentication and other with end users called inner authentication. They both occurs in a nested fashion. Outer authentication outside TLS tunnel and inner authentication inside TLS tunnel.
- Protected EAP (PEAP) –
PEAP is further improvement over the EAP-FAST. It also uses outer and inner authentication. Additional step in this method is Digital Certificate. Authentication server present a Digital Certificate (DC) to clients in outer authentication, if clients are satisfied with DC then a TLS tunnel is build for inner authentication. The DC consist of data in a standard form that identifies owner. It is validated by third party called Certificate authority (CA). CA is known and trusted by both clients and Authentication Server.
- EAP-TLS –
PEAP is further improved by EAP-TLS. In it, Digital Certificate is installed on both AS and client. They both exchange certificate with each other and then TLS tunnel is build to exchange encryption key material. EAP-TLS is considered most secure but implementation is bit complex. Manual installation of Digital Certificate on hundreds of clients can be impractical. A Public Key Infrastructure (PKI) is used that supply certificate securely to client and revoke them when client or user has no longer access to network. EAP-TLS is used only when wireless clients can accept and use certificates.