Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-7
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
802.1X
shows a summary of common EAP supplicants:
•
PEAP MSCHAPv2—Protected EAP MSCHAPv2. Uses a Transport Layer Security (TLS) tunnel,
(the IETF standard of SSL) to protect an encapsulated MSCHAPv2 exchange between the WLAN
client and the authentication server.
(the IETF standard of SSL) to protect an encapsulated MSCHAPv2 exchange between the WLAN
client and the authentication server.
•
PEAP GTC—Protected EAP Generic Token Card (GTC). Uses a TLS tunnel to protect a generic
token card exchange; for example, a one-time password or LDAP authentication.
token card exchange; for example, a one-time password or LDAP authentication.
•
EAP-FAST—EAP-Flexible Authentication via Secured Tunnel. Uses a tunnel similar to that used
in PEAP, but does not require the use of Public Key Infrastructure (PKI).
in PEAP, but does not require the use of Public Key Infrastructure (PKI).
•
EAP-TLS—EAP Transport Layer Security uses PKI to authenticate both the WLAN network and
the WLAN client, requiring both a client certificate and an authentication server certificate.
the WLAN client, requiring both a client certificate and an authentication server certificate.
Authenticator
The authenticator in the case of the Cisco Secure Wireless Solution is the Wireless LAN Controller
(WLC), which acts as a relay for EAP messages being exchanged between the 802.1X-based supplicant
and the RADIUS authentication server.
(WLC), which acts as a relay for EAP messages being exchanged between the 802.1X-based supplicant
and the RADIUS authentication server.
After the completion of a successful authentication, the WLC receives the following:
•
A RADIUS packet containing an EAP success message
•
An encryption key generated at the authentication server during the EAP authentication
•
RADIUS vendor-specific attributes
(
VSAs) for communicating policy
Table 4-2
Comparison of Common Supplicants
Cisco
EAP-FAST
EAP-FAST
PEAP
MS-CHAPv2
MS-CHAPv2
PEAP EAP-GTC
EAP-TLS
Single sign-on (MSFT AD only)
Yes
Yes
Yes
1
1.
Supplicant dependent
Yes
Login scripts (MSFT AD only)
Yes
Yes
Some
Yes
2
2.
Machine account and machine authentication is required to support the scripts.
Password change (MSFT AD)
Yes
Yes
Yes
N/A
Microsoft AD database support
Yes
Yes
Yes
Yes
ACS local database support
Yes
Yes
Yes
Yes
LDAP database support
Yes
3
3.
Automatic provisioning is not supported on with LDAP databases.
No
Yes
Yes
OTP authentication support
Yes
4
4.
Supplicant dependent
No
Yes
No
RADIUS server certificate
required?
required?
No
Yes
Yes
Yes
Client certificate required?
No
No
No
Yes
Anonymity
Yes
Yes
5
5.
Supplicant dependent
Yes
6
6.
Supplicant dependent
No