Authentication Protocols - jibingl/CCNA-CCNP GitHub Wiki

Open Authentication

WEP (Wired Equivalent Privacy)

EAP (Extensible Authentication Protocol)

EAP is integrated with 802.1x, which provides port-based network access control (NAC).

Supplicant                    Authenticator               Authentication Server
  +---+                         +-----+                      +----+
  | PC| <---------------------> |<WLC>| -------------------- |====|
  +/=\+   Open Authentication   | [=] |                      |AAA | (RADIUS)
                                +-----+                      +----+
        <-------------------EAP Authentication------------->

Different EAP variations:

Abb.	Names	Property	Decription
LEAP	Lightweight EAP	Cisco	Based on WEP, using dynamic WEP keys
EAP-FAST	EAP Flexible Authentication via Secure Tunneling	Cisco	Establish TLS tunnel firstly, then authentication
PEAP	Protected EAP		Tunnel established by AS certificate
EPA-TLS	EAP Transport Layer Secruity		Mutual authentications at the very beginning

Supplicant                    Authenticator               Authentication Server
  +---+                         +-----+                      +----+
  | PC| <---------------------> |<WLC>| -------------------- |====|
  +/=\+   Open Authentication   | [=] |                      |AAA | (RADIUS)
                                +-----+                      +----+
        <-------------EAP-FAST Authentication-------------->
          <-----------1. PAC provisioning-----------------
          ============2. Established TLS Tunnel===========
           :<---------3. Authentication---------------->:

PAC (Ptotected Access Credential) is a shared key generated by AS, and used to establish the encrypted TLS tunnel to facilitate subsequnce authentication process.

Supplicant                    Authenticator               Authentication Server
  +---+                         +-----+                      +----+
  | PC| <---------------------> |<WLC>| -------------------- |====|
  +/=\+   Open Authentication   | [=] |                      |AAA | (RADIUS)
                                +-----+                      +----+
        <-------------PEAP Authentication------------------>
          <-----------1. Digital certificate--------------
          ============2. Established TLS Tunnel===========
           :<---------3. Authentication (MS-CHAP)------>:

Notes: MS-CHAP is just one of the authentications that can be used in here. There are more out there.

Supplicant                    Authenticator               Authentication Server
  +---+                         +-----+                      +----+
  | PC| <---------------------> |<WLC>| -------------------- |====|
  +/=\+   Open Authentication   | [=] |                      |AAA | (RADIUS)
                                +-----+                      +----+
        <-------------EAP-TLS Authentication--------------->
          <-----------1. Digital certificates------------>
          <-----------2. Authenticate each other--------->
          ============3. Established TLS Tunnel===========

Note: Since AS and supplicant exchange certificates and use them to authenticate each other, so no furter authentication happens in the TLS tunnel which is used to encrypt data transmission.

Authentication Protocols - jibingl/CCNA-CCNP GitHub Wiki

Open Authentication

WEP (Wired Equivalent Privacy)

EAP (Extensible Authentication Protocol)

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️