Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991
RADIUS-Based Protocols Without EAP
RADIUS-based protocols that do not include EAP include the following:
•Password Authentication Protocol (PAP)
•CHAP
•Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)
•MS-CHAP version 2 (MS-CHAPv2)
RADIUS-Based EAP Protocols
•Simple EAP methods that do not use certificates:
–Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
–Lightweight Extensible Authentication Protocol (LEAP)
•EAP methods which requires certificates:
-- EAP-TLS – Transport Layer Security
Certificates are required on both the client and RADIUS server. In a Wi-Fi environment, the workstation must have a certificate that
the RADIUS server can validate. Likewise, the RADIUS server must have a
certificate that the workstation can validate. This is referred to
mutual authentication. This is only true if both parties can validate
the other’s certificate. This is typically done
by having both certificates issued by one Certificate Authority (CA),
and for each party to have the CA’s certificate.
-- EAP-TTLS – Tunneled Transport Layer Security
EAP-TTLS is an authentication protocol
that uses TLS to provide a secure channel for traditional authentication
methods like CHAP, MS-CHAP, MS-CHAP-V2, and MD5-Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods.Certificates are only required on the RADIUS server.
--- EAP-PEAP – Protected Extensible Authentication Protocol
EAP-PEAP is an authentication protocol backed by Microsoft, Cisco and RSA Security. PEAP extends TLS to carry an EAP exchange. Once
the initial TLS exchange authenticates the RADIUS server to the
workstation, any other EPA method can be used to authenticate the
workstation to the RADIUS server. Thus, traditional EAP methods like MD5 or MS-CHAP can be used in conjunction with EAP-PEAP.
–Protected Extensible Authentication Protocol/EAP-MS-CHAPv2
–Protected Extensible Authentication Protocol/EAP-GTC
–Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling/EAP-MS-CHAPv2
–Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling/EAP-GTC
--- EAP-IKEv2
EAP-IKEv2 is an EAP authentication method
based on the Internet Key Exchange Protocol version 2 (IKEv2).
It provides mutual authentication and session key establishment
between an EAP peer and an EAP server. It supports authentication
techniques that are based on the following types of credentials:
Asymmetric key pairs - public/private key pairs where the
public key is embedded into a digital certificate, and the
corresponding private key is known only to a single party.
Passwords - low-entropy bit strings that are known to
both the server and the peer
Symmetric keys - high-entropy bit strings that known to
both the server and the peer.
--- EAP-FAST
EAP-FAST(Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems as a replacement for LEAP.
Key Wrap
The encryption of one symmetric cryptographic key in another.
The algorithm used for the encryption is called a key wrap
algorithm or a key encryption algorithm. The key used in the
encryption process is called a key-encryption key (KEK)
RADIUS-Based Protocols Without EAP
RADIUS-based protocols that do not include EAP include the following:
•Password Authentication Protocol (PAP)
•CHAP
•Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)
•MS-CHAP version 2 (MS-CHAPv2)
RADIUS-Based EAP Protocols
•Simple EAP methods that do not use certificates:
–Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
–Lightweight Extensible Authentication Protocol (LEAP)
•EAP methods which requires certificates:
-- EAP-TLS – Transport Layer Security
Certificates are required on both the client and RADIUS server. In a Wi-Fi environment, the workstation must have a certificate that
the RADIUS server can validate. Likewise, the RADIUS server must have a
certificate that the workstation can validate. This is referred to
mutual authentication. This is only true if both parties can validate
the other’s certificate. This is typically done
by having both certificates issued by one Certificate Authority (CA),
and for each party to have the CA’s certificate.
-- EAP-TTLS – Tunneled Transport Layer Security
EAP-TTLS is an authentication protocol
that uses TLS to provide a secure channel for traditional authentication
methods like CHAP, MS-CHAP, MS-CHAP-V2, and MD5-Challenge. This reduces the certificate requirements and can leverage legacy RADIUS authentication methods.Certificates are only required on the RADIUS server.
--- EAP-PEAP – Protected Extensible Authentication Protocol
EAP-PEAP is an authentication protocol backed by Microsoft, Cisco and RSA Security. PEAP extends TLS to carry an EAP exchange. Once
the initial TLS exchange authenticates the RADIUS server to the
workstation, any other EPA method can be used to authenticate the
workstation to the RADIUS server. Thus, traditional EAP methods like MD5 or MS-CHAP can be used in conjunction with EAP-PEAP.
–Protected Extensible Authentication Protocol/EAP-MS-CHAPv2
–Protected Extensible Authentication Protocol/EAP-GTC
–Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling/EAP-MS-CHAPv2
–Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling/EAP-GTC
--- EAP-IKEv2
EAP-IKEv2 is an EAP authentication method
based on the Internet Key Exchange Protocol version 2 (IKEv2).
It provides mutual authentication and session key establishment
between an EAP peer and an EAP server. It supports authentication
techniques that are based on the following types of credentials:
Asymmetric key pairs - public/private key pairs where the
public key is embedded into a digital certificate, and the
corresponding private key is known only to a single party.
Passwords - low-entropy bit strings that are known to
both the server and the peer
Symmetric keys - high-entropy bit strings that known to
both the server and the peer.
--- EAP-FAST
EAP-FAST(Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems as a replacement for LEAP.
Key Wrap
The encryption of one symmetric cryptographic key in another.
The algorithm used for the encryption is called a key wrap
algorithm or a key encryption algorithm. The key used in the
encryption process is called a key-encryption key (KEK)
No comments:
Post a Comment