1X Authenticator
802.11 AP
Authentication Server
(RADIUS)
EAP Response (Identity - Machine Name or User Name)
Figure 7.6: Simplified EAP-TLS message flow.
7.5.2 EAP-MD5
The EAP-MD5 [19] authentication algorithm provides one-way password-based network
authentication of the client. It is expected to be used in 802.1X wired Ethernet switch
deployments. This algorithm can be used for wireless applications with no WLAN security
requirements. The impediment to using EAP-MD5 in wireless LAN applications is that no
encryption keys are generated. Also, although the protocol can be used by the client to
authenticate the network, it is typically used only for the network to authenticate the client.
Finally, as the Disassociation message is not currently authenticated, a valid established
session can be hijacked by an attacker [27]. The message flow is shown in Figure 7.7.
EAP Request-MD5(Challenge)
802.1X Supplicant
802.11 Station
802.11 Authentication (OS, SKA)
802.11 Association
EAP Start
EAP Request Identity
EAP Response ( Identity- Machine Name or User Name)
DHCP, etc.
802.1X Authenticator
802.11 AP
Authentication Server
(RADIUS)
EAP Response (Identity - Machine Name or User Name)
EAP Request-MD5(Challenge)
EAP Response-MD5 (Challenge Response) EAP Response-MD5 (Challenge Response)
EAP Success-MD5 EAP Success-MD5
No Key Material Provided
Figure 7.
Pages:
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400