7: EAP-MD5 message flow.
7.5.3 EAP-TTLS
EAP-TTLS [20] can be viewed as an interesting combination of both EAP-TLS and
traditional password-based methods such as Challenge Handshake Authentication Protocol
(CHAP) [28], and One Time Password (OTP). In this method, a TLS tunnel is first
established between the station Supplicant and the Authentication Server. The client
authenticates the network to which it is connecting by authenticating the digital certificate
Wireless Local Area Network Security 153
provided by the TTLS server. This is exactly analogous to the techniques used to connect
to a secure web server. Once an authenticated ???tunnel??? is established, the authentication of
the end user occurs. EAP-TTLS has the added benefit of protecting the identity of the end
user from view over the wireless medium, providing anonymity of the end user, a desirable
attribute. EAP-TTLS also enables existing end user authentication systems to be reused.
The simplified message protocol exchange for EAP-TTLS is shown in Figure 7.8.
7.5.4 IEEE 802.11 and RADIUS MAC Authentication
The IEEE 802.11 standard [8] supports two subtypes of MAC layer authentication services:
open system and shared key.
Pages:
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401