Cisco Cisco Aironet 1524 Lightweight Outdoor Mesh Access Point
17
Mobile Access Router and Mesh Networks Design Guide
OL-11823-01
Security
•
The non-root bridge uses the unicast key to decrypt the broadcast key. The non-root bridge and the
root device activate WEP and use the unicast and broadcast WEP keys for all communications
during the remainder of the session.
root device activate WEP and use the unicast and broadcast WEP keys for all communications
during the remainder of the session.
There is more than one type of EAP authentication, but the bridge behaves the same way for each type.
It relays authentication messages from the wireless client device to the RADIUS server and from the
RADIUS server to the wireless client device.
It relays authentication messages from the wireless client device to the RADIUS server and from the
RADIUS server to the wireless client device.
(If you use EAP authentication, you can optionally select open or shared key authentication, as well as
EAP authentication controls authentication both to your bridge and to your network.)
EAP authentication controls authentication both to your bridge and to your network.)
EAP-TLS
EAP-TLS uses public key infrastructure (PKI) to acquire and validate digital certificates. A digital
certificate is a cryptographically signed structure that guarantees the association between at least one
identifier and a public key. It is valid for a limited time period and use, subject to certificate policy
conditions. The Certificate Authority (CA) issues certificates to client and server. The supplicant and the
back-end RADIUS server must both support EAP-TLS authentication. The root device acts as an AAA
Client and is also known as the network access server (NAS). The root devices must support 802.1x/EAP
authentication process even though they are not aware of the EAP authentication protocol type. The NAS
tunnels the authentication messages between the peer (user machine trying to authenticate) and the AAA
server (such as the Cisco ACS). The NAS is aware of the EAP authentication process only when it starts
and ends.
certificate is a cryptographically signed structure that guarantees the association between at least one
identifier and a public key. It is valid for a limited time period and use, subject to certificate policy
conditions. The Certificate Authority (CA) issues certificates to client and server. The supplicant and the
back-end RADIUS server must both support EAP-TLS authentication. The root device acts as an AAA
Client and is also known as the network access server (NAS). The root devices must support 802.1x/EAP
authentication process even though they are not aware of the EAP authentication protocol type. The NAS
tunnels the authentication messages between the peer (user machine trying to authenticate) and the AAA
server (such as the Cisco ACS). The NAS is aware of the EAP authentication process only when it starts
and ends.
EAP-FAST
EAP-FAST encrypts EAP transactions within a TLS tunnel. The TLS tunnel encryption helps prevent
dictionary attacks that are possible using LEAP. The EAP-FAST tunnel is established using shared secret
keys that are unique to users. Because handshakes that are based on shared secrets are intrinsically faster
than handshakes that are based on a PKI infrastructure, EAP-FAST is significantly faster than PEAP and
EAP-TLS.
dictionary attacks that are possible using LEAP. The EAP-FAST tunnel is established using shared secret
keys that are unique to users. Because handshakes that are based on shared secrets are intrinsically faster
than handshakes that are based on a PKI infrastructure, EAP-FAST is significantly faster than PEAP and
EAP-TLS.
EAP-FAST operates according to the following three phases:
•
Delivery of a key to the client
•
Establishment of a secure tunnel using the key
•
Authentication of the client over the secure tunnel
After successful client authentication to the EAP-FAST server, a RADIUS access-accept message is
passed to the root device (along with the master session key) and an EAP success message is generated
at the root device (as with other EAP authentication protocols). Upon receipt of the EAP-success packet,
the client derives a session key using an algorithm that is complimentary to the one used at the server to
generate the session key passed to the root device.
passed to the root device (along with the master session key) and an EAP success message is generated
at the root device (as with other EAP authentication protocols). Upon receipt of the EAP-success packet,
the client derives a session key using an algorithm that is complimentary to the one used at the server to
generate the session key passed to the root device.
MAC Address Authentication to the Network
The access point relays the wireless client device's MAC address to a RADIUS server on the network,
and the server checks the address against a list of allowed MAC addresses. Because intruders can create
counterfeit MAC addresses, MAC-based authentication is less secure than EAP authentication.
and the server checks the address against a list of allowed MAC addresses. Because intruders can create
counterfeit MAC addresses, MAC-based authentication is less secure than EAP authentication.
However, MAC-based authentication does provide an alternate authentication method for client devices
that do not have EAP capability or can be used as a addition to EAP.
that do not have EAP capability or can be used as a addition to EAP.