Client authentication 802.1x

Unanswered Question
Aug 14th, 2009

Hi,

I have one basic doubt about 802.1x wireless client authentication. After reading documentation also I am still confused about how this authentication takes place securly.

In general case client will send it's username / password to AP which in turn will forward it to RADIUS/ TACACS server for authentication. But when client sends username / password to AP how is it encrypted? If it is not encrypted then wireless sniffer can copy the clear text frame and use it. I could not understand this first step itself.

Similarly with EAP-TLS clients and servers use digital certificats issued by same CA. How does AP authenticates a real user with Diti. certs? ( Please correct if I am making wild speculations ).

I would like to compare it with Site-to-site VPN, in this case D-H -group2 algorithm is used to generate "Identical-unique" huge number are both end devices. With this unique-same number a pre-shared key ( in this case username / password ) is encrypted by pre-negotiated algirithms and sent to each other. Then this "hidden-pre-sgared-key" data is decrypted and if the key matches other end is authenticated. Here important step is a "Identical unique" number is generated by D-H algorithm. Is anything similar happening in wireless also so as to send username and password in encryption form?

Please share the experience.

Any link on cisco.com?

Thanks in advance

Subodh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert.N.Barrett_2 Fri, 08/14/2009 - 09:28

It really depends on which 802.1X authentication method you choose. PEAP/MS-CHAPv2 or EAP-TLS are the most common. PEAP uses the user id and password to authenticate the client, but the credentials passed are in an encrypted tunnel. EAP-TLS uses certificates to identify the client, so no user id and password at all.

The main thing to be concerned about with PEAP and EAP-TLS is what is initially passed in the first phase "identity request/response" (before authentication is enabled). This is definitely in clear text, but only shows the user id or the CN from certificate. Most wireless clients let you overridge this initial identity behavior.

Check out the following link and read up on the EAP-TLS and PEAP Choreography. That should make the process a little clearer.

http://www.ciscopress.com/articles/article.asp?p=369223&seqNum=2

Actions

This Discussion

 

 

Trending Topics - Security & Network