Scribd Logo
Carica

Benvenuto in Scribd!

  • Eap Auth Protocols Leap Eap Peap1 PDF

    Caricato da

    Hafeez Mohammed
    75 visualizzazioni4 pagine

    Titolo originale

    eap-auth-protocols-leap-eap-peap1.pdf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    75 visualizzazioni4 pagine

    Eap Auth Protocols Leap Eap Peap1 PDF

    Caricato da

    Hafeez Mohammed

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 4

    Cisco LEAP

    Client Access Point Radius Server Active Directory

    EAPOL-Start
    AP Blocks all requests until authentication completes
    EAPOL-Request-Identity

    Identity RADIUS Access Request

    RADIUS Server Authenticates Client


    EAPOL (LEAP Server Challenge) LEAP Server Challange

    Response Response

    Success Message EAP-Success + RADIUS Access Challange

    Client Authenticates RADIUS Server


    LEAP Client Challange RADIUS (LEAP Client Challenge)

    EAPOL (LEAP Client Challenge Response) LEAP Client Response


    (Session and Cell Multicast Keys)
    Derive Key (Encryption Keys) Derive Key
    EAPOL-Key (Cell Multicast Key)

    EAPOL-Key (Session ID and Key Length)

    Protected Data Session Cisco LEAP Advantages


    -Fast, relatively secure roaming with Cisco or compatible clients
    WPA or CCKM Key Management
    -Uses existing username/password (Active Directory)
    Data -Wide range of OS support

    Weaknesses
    -Susceptible to dictionary attack
    -Relies too much on strong, complex passwords for security.
    -Number of publically available exploit tools

    Replaced by EAP-FAST

    layer3.wordpress.com
    EAP-FAST

    Client Access Point Radius Server AD or External Database

    Start
    AP Blocks all requests until authentication completes
    EAP Identity Request

    EAP Identity Response Identity

    Server Side Authentication - Establish a Secure Tunnel (PAC and TLS)


    EAP-FAST Start (A-ID) A-ID

    EAP-FAST (TLS Client Hello) PAC-OPAQUE PAC-Opaque

    Server_random EAP-FAST (TLS Server Hello) Server_random

    TLS Finished

    Client Side Authentication Server Authenticates Client


    Authentication Authentication Conversions

    Optional PAC refrash

    EAP Success

    Protected Data Session EAP-FAST Advantages RFC 4851


    -Supports Windows single sign-on and password expiration
    WPA or CCKM Key Management -Wide range of OS support
    -Does not require certificates or PKI
    Data -Full support for 802.11i, 802.11x, TKIP and AES
    -Support for WDS and CCKM
    -Resistant to dictionary attacks

    Weaknesses
    -PAC can be intercepted and used to compromise credentials
    -Rouge AP with same SSID could be used to inject a new PAC
    which could be used to obtain username and a cleartext
    password (EAP-FAST w/GTC) or launch a dictionary attack
    layer3.wordpress.com
    EAP-TLS

    Client Access Point Radius Server CA

    EAPOL Start
    AP Blocks all requests until authentication completes
    Identity Request

    Identity Response (NAI) Identity (NAI)


    EAP-TLS Start

    EAP-TLS Advantages RFC 5216


    Client Hello
    -Provides for very secure exchange of data
    Server Hello over public domain
    Certificate
    Server Key Exchange -Wide range of OS support
    Server Request
    -Username/Password compromise alone is
    Server Hello Complete
    not enough to gain access as the client
    side private key is still required.

    Certificate -Supports session resumption


    Client Key Exchange
    Derive Certificate Verify Weaknesses
    Session Key -Requires the use of client side certificates
    Change Cipher Spec
    Complete
    -More difficult to implement

    ChangeCipherSpec
    Derive
    Complete Session Key

    Protected Data Session


    WPA Key Management

    Data

    layer3.wordpress.com
    PEAP
    CA

    Client Access Point Radius Server User Database

    EAPOL Start
    AP Blocks all requests until authentication completes
    Identity Request

    Identity Response (NAI) Identity (NAI)


    EAP-TLS Start

    Client Hello
    PEAP Advantages
    -Provides for a very strong and secure
    Server Hello
    Derive
    authentication mechanism.
    Certificate Server/Key Exchange Request
    MSK
    Server Hello Complete -Wide range of OS support
    PEAP
    Certificate Client /Key Exchange Certificate Verify -Client side certificates not required
    Phase 1
    Complete
    -Support for Token-Based
    Change Cipher Spec authentication or Windows based
    Derive
    EAP Success MSK authentication via MSCHAPv2

    Weaknesses
    EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity) -Requires more overhead due to
    number of message exchanges
    Tunneled Identity Response
    EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity-Type X) -Requires CA for the authenticating
    PEAP
    Tunneled Response for EAP Type X servers
    Phase 2
    EAP Type X Exchange
    EAP-Request /EAP-TLV/Result-TLV (CryptoBinding)
    Derive
    CSK Result-TLV Response
    Derive
    CSK CSK
    EAP Success EAP Success

    Protected Data Session


    WPA Key Management & Data
    layer3.wordpress.com

    Potrebbero piacerti anche