Honeywell International Inc. 9500LUP 用户手册

The Client allows network administrators to continue to use RADIUS or another AAA server as their centralized authentication 
server. In 802.11b, where authentication took place between the access point and the station, there was no concept of passing 
credentials from the access point to an authentication server. For LANs this was fine. However, as users began to use their 
devices in remote locations, the security provided became inadequate. 802.1X solves this problem by allowing access points to 
pass client credentials to the appropriate authentication server.

For example, the following graphic displays the authentication flow for a mobile user who wishes to create a virtual private 
network with his home office. 

By using the Client, the user can associate with a wireless network provided by a third party, in this case the ISP. We assume 
that the company and the ISP have established a service relationship beforehand. When the ISP receives the user's credentials, 
the ISP proxies the credentials to the company's AAA server, which returns a message telling the ISP to either accept or deny 
the user access. This response is then propagated to the remote user.

There have been many published reports recently about the lack of security provided by the Wired Equivalent Privacy (WEP) 
protocol. One of the problems with WEP is that the shared key used by the station and the access point is inherently static. That 
is, this shared key will only change if it is manually reconfigured on both devices. The Client remedies this by supporting the 
Transport Layer Security (TLS) protocol. TLS ensures that a new shared key is generated each time a station associates itself 
with an access point. TLS has proven itself an excellent authentication and encryption protocol in commercial environments. The 
Client also supports the MD5 and TTLS security protocols.

The Client provides the advantage of Tunneled TLS (TTLS) and PEAP support.   These protocols provide the security of TLS 
with greatly reduced administrative load. Security is enhanced by never passing user ID and password in the clear. No "real" user 
ID or password is required in Phase 1. After the secure tunnel is established, Phase 2, user credentials are passed in safe, 
encrypted form. To further enhance security, the WEP keys, which encrypt the data between the wireless card and the AP, may 
be automatically changed on a per-session basis, limiting the time available to an unauthorized sniffer to crack the keys. By 
limiting the session time (the reauthentication period), the keys can essentially be made uncrackable. 

Administration is eased by greatly reduced certificate requirements in comparison to TLS. In TLS, each client must have a client 
certificate to pass to the server, and a CA certificate with which to verify a server certificate, while the server must have a client 
certificate from each user and CA certificates for each possible CA chain and its own server certificate. TTLS and PEAP require 
only that a single server certificate be created for the server to present to the client, and that the client have a CA certificate to 
verify the server. Because these are the same for each client on the network, they are easily managed, unlike TLS, where every 
client certificate is unique. TTLS and PEAP thus provide the security of a TLS channel without the need for managers to distribute 
and manage client certificates. Lastly, TTLS allows for the use of existing legacy authentication protocols. Administrators may 
continue to use established authentication databases.   

The message exchange used by Cisco LEAP is proprietary. This protocol is not a standard EAP type, but is supported by the 
Client through a licensing arrangement with Cisco.