Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Eap Auth Protocols Leap Eap Peap1

    Enviado por

    Le Quy
    71 visualizações4 páginas
    Cisco LEAP Advantages -Fast, relatively secure roaming with Cisco or compatible clients -Uses existing username / password (active directory) Weaknesses -Susceptible to dictionary attack -Relies too much on strong, complex passwords for security. Replaced by EAP-FAST Protected Data Session layer3.wordpress.com.

    Descrição original:

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Cisco LEAP Advantages -Fast, relatively secure roaming with Cisco or compatible clients -Uses existing username / password (active directory) Weaknesses -Susceptible to dictionary attack -Relies too much on strong, complex passwords for security. Replaced by EAP-FAST Protected Data Session layer3.wordpress.com.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    71 visualizações4 páginas

    Eap Auth Protocols Leap Eap Peap1

    Enviado por

    Le Quy
    Cisco LEAP Advantages -Fast, relatively secure roaming with Cisco or compatible clients -Uses existing username / password (active directory) Weaknesses -Susceptible to dictionary attack -Relies too much on strong, complex passwords for security. Replaced by EAP-FAST Protected Data Session layer3.wordpress.com.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 4

    Client Access Point Radius Server

    Active Directory
    Cisco LEAP
    EAPOL-Start
    AP Blocks all requests until authentication completes
    EAPOL-Request-Identity
    Identity RADIUS Access Request
    RADIUS Server Authenticates Client
    Response Response
    LEAP Server Challange EAPOL (LEAP Server Challenge)
    Client Authenticates RADIUS Server
    LEAP Client Challange RADIUS (LEAP Client Challenge)
    LEAP Client Response
    (Session and Cell Multicast Keys)
    (Encryption Keys)
    EAPOL (LEAP Client Challenge Response)
    Derive Key
    Derive Key
    WPA or CCKM Key Management
    Data
    EAP-Success + RADIUS Access Challange Success Message
    EAPOL-Key (Cell Multicast Key)
    EAPOL-Key (Session ID and Key Length)
    Cisco LEAP Advantages
    -Fast, relatively secure roaming with Cisco or compatible clients
    -Uses existing username/password (Active Directory)
    -Wide range of OS support
    Weaknesses
    -Susceptible to dictionary attack
    -Relies too much on strong, complex passwords for security.
    -Number of publically available exploit tools
    Replaced by EAP-FAST
    Protected Data Session
    layer3.wordpress.com
    Client Access Point Radius Server
    AD or External Database
    EAP-FAST
    EAP Identity Request
    AP Blocks all requests until authentication completes
    EAP Identity Response Identity
    Server Side Authentication - Establish a Secure Tunnel (PAC and TLS)
    EAP-FAST (TLS Client Hello) PAC-OPAQUE PAC-Opaque
    A-ID EAP-FAST Start (A-ID)
    Client Side Authentication Server Authenticates Client
    Authentication Authentication Conversions
    Optional PAC refrash
    WPA or CCKM Key Management
    Data
    EAP-FAST (TLS Server Hello) Server_random Server_random
    EAP Success
    EAP-FAST Advantages
    -Supports Windows single sign-on and password expiration
    -Wide range of OS support
    -Does not require certificates or PKI
    -Full support for 802.11i, 802.11x, TKIP and AES
    -Support for WDS and CCKM
    -Resistant to dictionary attacks
    Weaknesses
    -PAC can be intercepted and used to compromise credentials
    -Rouge AP with same SSID could be used to inject a new PAC
    which could be used to obtain username and a cleartext
    password (EAP-FAST w/GTC) or launch a dictionary attack
    Protected Data Session
    Start
    TLS Finished
    RFC 4851
    layer3.wordpress.com
    Client Access Point Radius Server
    EAP-TLS
    Identity Request
    AP Blocks all requests until authentication completes
    EAPOL Start
    EAP-TLS Advantages
    -Provides for very secure exchange of data
    over public domain
    -Wide range of OS support
    -Username/Password compromise alone is
    not enough to gain access as the client
    side private key is still required.
    -Supports session resumption
    Weaknesses
    -Requires the use of client side certificates
    -More difficult to implement
    RFC 5216
    CA
    Identity Response (NAI) Identity (NAI)
    EAP-TLS Start
    Client Hello
    Server Hello
    Certificate
    Server Key Exchange
    Server Request
    Server Hello Complete
    Certificate
    Client Key Exchange
    Certificate Verify
    Change Cipher Spec
    Complete
    Derive
    Session Key
    ChangeCipherSpec
    Complete
    Derive
    Session Key
    WPA Key Management
    Data
    Protected Data Session
    layer3.wordpress.com
    Client Access Point Radius Server
    PEAP
    Identity Request
    AP Blocks all requests until authentication completes
    EAPOL Start
    Identity Response (NAI) Identity (NAI)
    EAP-TLS Start
    Client Hello
    Server Hello
    Certificate Server/Key Exchange Request
    Change Cipher Spec
    EAP Success
    Server Hello Complete
    Certificate Client /Key Exchange Certificate Verify
    Complete
    Derive
    MSK
    Derive
    MSK
    PEAP
    Phase 1
    Tunneled Identity Response
    Result-TLV Response
    EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity)
    EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity-Type X)
    Tunneled Response for EAP Type X
    EAP Type X Exchange
    EAP-Request /EAP-TLV/Result-TLV (CryptoBinding)
    Derive
    CSK
    Derive
    CSK
    CSK
    EAP Success EAP Success
    PEAP
    Phase 2
    CA
    User Database
    WPA Key Management & Data
    Protected Data Session
    PEAP Advantages
    -Provides for a very strong and secure
    authentication mechanism.
    -Wide range of OS support
    -Client side certificates not required
    -Support for Token-Based
    authentication or Windows based
    authentication via MSCHAPv2
    Weaknesses
    -Requires more overhead due to
    number of message exchanges
    -Requires CA for the authenticating
    servers
    layer3.wordpress.com

    Você também pode gostar