Questions about EAP are annoying ones, at least for me and
not many people really seem to know the difference. Furthermore, even the
official CISSP guide from ISC2 does not tell much about them. However you can
meet many questions about it in different tests.
I will try to give you the essentials about them so that you
also know enough about it and discover more if you wish.
First of all, Extensible Authentication Protocols are
created for 802.1x protocol, which aims to provide identity based authentication
services. In a secure network environment both client who wants to connect to
the corporate network and the network authentication server should properly
authenticate each other.
When we speak about mutual authentication, the best way to
do is digital certificates and the use of Public Key Infrastructure. Both
client and server present their digital certificates to each other for
authentication and sometimes use these certificates to build an SSL tunnel to
exchange more information.
EAP-TLS (Transport
Layer Security) requires both client and the authentication server to use
digital certificates for authentication. This method is laborious and expensive
as it requires too much effort for the proper management of the certificates
mostly on the client side. If the client certificate is not renewed correctly
or certificate store is not properly managed, clients may end up having
problems connecting the network. Because many network administrators are not
quite interested about PKI, troubleshooting is also painful.
EAP-TTLS (Tunneled
TLS) eases the problems that EAP-TLS create by eliminating the client side
certificates. The server side certificate is used to establish a secure SSL
tunnel between client and authentication server and authentication information
is shared over this tunnel. This method is of course less secure than EAP-TLS
but it is also much easier to configure and maintain.
EAP-PEAP (Protected
EAP) works just as the same way EAP-TLS that why it is confusing for me and
many others I believe. After the establishment of the secure tunnel using the
server certificate, a second method such as EAP-TLS or EAP-MSCHAPv2 (Microsoft’s
flavor of EAP) can be used for authentication information.
These are all the methods given in the official guide. There
are of course other protocols such as LEAP
(Cisco’s first protocol of EAP,
now considered insecure and no longer used), EAP-MD5 (Sending authentication information hashed with MD5, much
less secure than those mentioned above) and EAP-MSCHAPv2 (just an inner authentication method after the first
3, authenticating using Active Directory credentials), but these are considered
not essential it seems. It is good to know just that much about them for
general knowledge and the exam.
I know Aaron
Woland from Cisco Networkers events, he is one of the guys who designed Cisco’s
famous ISE product and periodically speaks about Identity-based networking
concepts and AAA in events. You can find a more detailed explanation in his
blog following this link :
These are all the methods given in the official guide.This method is laborious and expensive as it requires too much effort for the proper management of the certificates mostly on the client side.Thank you for this invaluable information.
ReplyDeletedisaster recovery plan checklist
EAP-TLS is laborious, I cannot agree more. People go for other solutions easier to maintain such as Cisco's Trustsec and Forescout. There can be cases however where you are required to use EAP-TLS to be compliant, PCI-DSS can be an example.
ReplyDelete