802.1X Configuration Authentication Methods Help
Select one or more Extensible Authentication Protocol (EAP) methods required for 802.1X authentication on your network. All authentication methods are selected by default. Required information varies depending on the authentication method(s) that you select for your network and security needs.
When you are satisfied with your selections, click Next to proceed to the next page, or click Cancel to return to the 802.1X Configuration Summary page without making any changes.
For more information about EAP methods, search by RFC number on the IETF website or on the RFC archive website.
- MD5 Challenge – See RFC 3748 – Method Digest 5 (MD5) Challenge lets a RADIUS server authenticate LAN stations by verifying an MD5 hash of each user's password. This is a simple choice for trusted Ethernet networks where there is a low risk of outsider sniffing or active attack. However, MD5 Challenge is not suitable for public Ethernet networks or wireless LANs because outsiders may easily sniff station identities and password hashes, or masquerade as access points to trick stations into authenticating with them.
- TLS – See RFC 4346 – Transport Layer Security (TLS) is a standard secure option for wireless LANs. TLS requires the station and RADIUS server to both prove their identities via public key cryptography, such as digital certificates or smart cards. This exchange is secured by an encrypted TLS tunnel, making TLS resistant to dictionary or other Man-in-the-middle attacks. However, the station's identity, which is the name bound to the certificate, may still be sniffed by outsiders. TLS may be most attractive to large enterprises that use only Windows XP/2000/2003 with deployed certificates.
- PEAP-MS-CHAPv2 (PEAP) – See RFC 2759 – Protected EAP (PEAP) requires certificate-based RADIUS server authentication, but supports an extensible set of user authentication methods. Organizations that have not yet issued certificates to every station, or do not want to, can use Windows logins and passwords instead. RADIUS servers that support PEAP can check LAN access requests with Windows Domain Controllers, Active Directories, and other existing user databases. From a sniffing perspective, PEAP may be as secure as TLS. PEAP is an internet draft proposed by Cisco and Microsoft, and requires a recent Windows operating system or service pack.
|