Additional EAP types include EAP-SIM [23], which
reuses the mobile GSM authentication credentials, EAP-SRP [24], a secure password-based
method, and EAP-AKA [25], which uses symmetric key credentials. EAP-PEAP [26] is
similar to EAP-TTLS in concept, but tunnels only EAP-based authentication methods.
7.5.1 802.1X EAP Authentication
The EAP-TLS [18] protocol provides a mechanism for certificate-based mutual
authentication. Upon completion of successful EAP-TLS authentication, a secret master
key is known at the station and the RADIUS server. This key is subsequently delivered to
the authenticator (AP or MC) by the RADIUS server. EAP-TLS requires prior distribution
of client side and server side certificates via a secure connection. RADIUS Authentication
servers supporting EAP-TLS and certificate management capabilities are also required. A
simplified message diagram for EAP-TLS is shown in Figure 7.6. EAP authentication
messages sent to/from the station to the RADIUS Server transit the AP/MC.
Wireless Local Area Network Security 152
802.1X Supplicant
802.11 Station
802.11 Authentication (Open System)
802.11 Association
EAP Start
EAP Request Identity
EAP Response (Identity- Machine Name or User Name)
EAP Request-TLS(TLS Start) EAP Request-TLS(TLS Start)
EAP Response-TLS (TLSClient_hello) EAP Response-TLS (TLSClient_hello)
EAP Success, Master Session Key
EAP Success
EAPOL-Key (multi-cast/global key)
Generate Multi-cast Global Key
EAP Request(TLS Server_Hello,TLS Certificate,Server key exchange)
EAP Resp-TLS (TLSCert, Client key exch,cert ver,TLS fin)
EAP Request-TLS(changecipher spec)
EAP Response-TLS ( )
EAP Request(TLS Server_Hello,TLS Certificate,Server key exchange)
EAP Resp-TLS (TLSCert, Client key exch,cert verify,TLS fin)
EAP Request-TLS(changecipher spec)
EAP Response-TLS ( )
802.
Pages:
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399