PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Similar documents
Protected EAP (PEAP) Application Note

Configuring the Client Adapter through the Windows XP Operating System

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

FAQ on Cisco Aironet Wireless Security

Configuring the Client Adapter through the Windows XP Operating System

Network Access Flows APPENDIXB

Wireless LAN Security. Gabriel Clothier

Configuring Authentication Types

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Configuring the Client Adapter

Configuring the Client Adapter through Windows CE.NET

Cisco Wireless LAN Controller Module

802.1x. ACSAC 2002 Las Vegas

Configuring EAP-FAST CHAPTER

Authentication and Security: IEEE 802.1x and protocols EAP based

Cisco Aironet 1130G Series IEEE g Access Point

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Securing Your Wireless LAN

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

TestsDumps. Latest Test Dumps for IT Exam Certification

Exam Questions CWSP-205

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

ClearPass QuickConnect 2.0

Protected EAP (PEAP) Application Note

New Windows build with WLAN access

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configure Network Access Manager

Securing a Wireless LAN

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

User Databases. ACS Internal Database CHAPTER

Managing External Identity Sources

Cisco Exam Questions & Answers

Appendix E Wireless Networking Basics

Selection of an EAP Authentication Method for a WLAN

ENHANCING PUBLIC WIFI SECURITY

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Aruba PEAP-GTC Supplicant Plug-In Guide

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

b/g/n 1T1R Wireless USB Adapter. User s Manual

Using EAP Authentication

Securing Wireless LANs with Certificate Services

Cisco Desktop Collaboration Experience DX650 Security Overview

Wireless LANs Designing, Deploying, Managing and Securing an Enterprise Wireless Network

Product Brief: SDC-PC22AG a/g PCMCIA Card with Integrated Antenna

IEEE a/b/g Wireless USB 2.0 Adapter. User s Manual Version: 1.2

COPYRIGHTED MATERIAL. Contents

Product Brief: SDC-MSD30AG a/g Miniature SDIO Module with Antenna Connectors

Product Brief: SDC-PC10AG a/g Compact Flash Module with Antenna Connectors

Cisco Aironet 1130AG Series IEEE A/B/G Access Point

Standard For IIUM Wireless Networking

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Hardware Capabilities. Product Brief: SDC-PC20G g PCMCIA Card with Integrated Antenna

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Setting Up Cisco SSC. Introduction CHAPTER

Johns Hopkins

802.1X: Background, Theory & Implementation

Johns Hopkins

Product Brief: SDC-MCF10G g Miniature CF Module with Antenna Connectors

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Configuring 802.1X Settings on the WAP351

Release Notes for Cisco Aironet a/b/g Client Adapters (CB21AG and PI21AG) for Windows Vista 1.1

Using PEAP and WPA PEAP Authentication Security on a Zebra Wireless Tabletop Printer

Security Setup CHAPTER

WL 5011s g Wireless Network Adapter Client Utility User Guide

Configuring Layer2 Security

Cisco Aironet 1240G Access Point

Cisco Aironet 1100 Series Access Point

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

ipad in Business Security Overview

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Designing AirPort Extreme n Networks

GHz g. Wireless A+G. User Guide. Notebook Adapter. Dual-Band. Dual-Band WPC55AG a. A Division of Cisco Systems, Inc.

Configuring Local EAP

Cisco Questions & Answers

WDT3250 RF Setup Guide

CUA-854 Wireless-G Long Range USB Adapter with Antenna. User s Guide

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

150Mbps N Wireless USB Adapter

Product Brief: SDC-EC25N n ExpressCard Card with Integrated Antenna

Configuring FlexConnect Groups

Cisco EXAM Implementing Cisco Unified Wireless Networking Essentials (IUWNE) Buy Full Product.

Cisco Aironet 1130AG Series IEEE A/B/G Access Point

Security in IEEE Networks

Rhodes University Wireless Network

Product Brief: SDC-PE15N n PCIe Module with Antenna Connectors

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

What is Eavedropping?

Your wireless network

Cisco Exactexams Questions & Answers

Exam Questions Demo Cisco. Exam Questions

802.1x Port Based Authentication

ipad in Business Deployment Scenarios and Device Configuration Overview April 2010 Microsoft Exchange IMAP, CalDAV, and LDAP

Cisco Aironet 1240AG Series A/B/G Access Point

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Cisco Unified Wireless Network Software Release 5.2

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Transcription:

Q&A PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL This document answers questions about Protected Extensible Authentication Protocol. OVERVIEW Q. What is Protected Extensible Authentication Protocol? A. Protected Extensible Authentication Protocol (PEAP) is an 802.1X authentication type for wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on an Internet Draft (I-D) submitted by Cisco Systems, Microsoft, and RSA Security to the IETF. Glen Zorn was the Cisco Systems lead engineer and coauthor of this I-D. Q. Is PEAP supported by the Cisco Unified Wireless Network, Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)? A. Yes. The Cisco Unified Wireless Network supports several EAP authentication types, including PEAP. Like all EAP types, PEAP can be used with WPA and WPA2 networks. Q. What is the Cisco Unified Wireless Network? A. The Cisco Unified Wireless Network is the industry s only unified wired and wireless solution to cost-effectively address the WLAN security, deployment, management, and control issues facing enterprises. This powerful solution combines the best elements of wireless and wired networking to deliver scalable, manageable, and secure WLANs with a low total cost of ownership. It includes innovative RF capabilities that enable real-time access to core business applications and provides proven enterprise-class secure connectivity. The Cisco Unified Wireless Network delivers the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations expect from their wired LANs. The Cisco Unified Wireless Network supports an enterprise-ready, standards-based, wireless security solution that gives network administrators confidence that their data will remain private and secure when they use Cisco wireless products, Cisco Aironet Series products, Cisco Compatible Extensions products or Wi-Fi Certified WLAN client devices. This enterprise-class wireless security solution supports robust wireless LAN security services that closely parallel the security available in a wired LAN. It fulfills the need for consistent, reliable, and secure mobile networking by delivering industry-leading WLAN security services. It mitigates sophisticated passive and active WLAN attacks, interoperates with a range of client devices and provides reliable, scalable, centralized security management. The Cisco Unified Wireless Network allows network administrators to deploy large-scale enterprise WLANs with scalable problem-free security administration that does not increase the burden on the IT staff. Q. Is PEAP a standard? A. Not yet. PEAP is based on an I-D submitted to the IETF. Cisco, Microsoft, and RSA Security are actively involved in the IETF standards body supporting a standardized PEAP implementation. Q. Where can I find information about the PEAP draft proposed to the IETF? A. Please visit the IETF I-D Search Engine and search for PEAP. All contents are Copyright 1992 2004 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 5

FEATURES AND BENEFITS Q. What are the security benefits of PEAP? A. PEAP provides the following security benefits: Relies on Transport Layer Security (TLS) to allow nonencrypted authentication types such as EAP-Generic Token Card (GTC) and One Time Password (OTP) support Uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication Allows authentication to an extended suite of directories, including Lightweight Access Protocol (LDAP), Novell NDS, and OTP databases Uses TLS to encrypt all user-sensitive authentication information Supports password change at expiration Does not expose the logon user name in the EAP identity response Is not vulnerable to dictionary attacks Provides dynamic privacy protection when used in conjunction with Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES) Q. What are the enterprise benefits of PEAP? A. PEAP is based on server-side EAP-TLS. With PEAP, organizations can avoid the issues associated with installing digital certificates on every client machine as required by EAP-TLS; instead, they can select the methods of client authentication, such as logon passwords or OTPs, that best suit their corporate needs. DEPLOYMENT Q. How does PEAP authentication work? A. PEAP works in two phases: In Phase 1, server-side TLS authentication is performed to create an encrypted tunnel and achieve server-side authentication in a manner similar to Web server authentication using Secure Sockets Layer (SSL), a popular and trusted security method. Once Phase 1 of PEAP is established, all data is encrypted, including all user-sensitive information. The framework for PEAP Phase 2 authentication is extensible, and the client can be authenticated using methods such as EAP-GTC and Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2 within the TLS tunnel. Q. What Cisco wireless products support PEAP? A. A variety of Cisco wireless products support PEAP including: Cisco Aironet autonomous and lightweight access points, Cisco wireless LAN controllers and Cisco Aironet client devices. Cisco Compatible client devices running Cisco Compatible Extensions version 4 or later also support PEAP. Q. What client operating systems support PEAP? A. PEAP support is available on Microsoft Windows XP, and Windows CE. Visit the Cisco Aironet WLAN client software product bulletin Web page for the latest software information and guidelines to enable PEAP on a client machine. Page 2 of 5

Q. Is PEAP authentication available on wireless clients from vendors other than Cisco? A. Yes. PEAP authentication is allowed from any PEAP-enabled supplicants that comply with the proposed PEAP IETF I-D. Cisco encourages customers to verify support and interoperability with vendors before starting installation. Q. Can I install both PEAP client software from Cisco and PEAP client software from Microsoft on my machine? A. PEAP client software from Cisco is complementary to PEAP client software from Microsoft. Users may choose to install either of these PEAP implementations on their client machines. When the Cisco PEAP supplicant is installed on a client machine, it completely replaces any existing MS- CHAP Version 2 PEAP supplicant on the machine. Q. Can I use client certificate authentication with PEAP? A. PEAP is based on server-side EAP-TLS. Client certificate authentication is not required only the server is authenticated using certificates. Q. Does PEAP provide single-login to Windows domains for passwords or OTP? A. PEAP is compatible with single-login, which is a function of the client supplicant. Single-login function may be available with third-party utilities. The Windows PEAP supplicant (PEAP/MS-CHAPv2) supports single sign-on. Cisco's PEAP/GTC supplicant does not support single sign-on. Q. How does silent session resume work during a PEAP session? A. PEAP supports silent session resume (also known as Fast Reconnect) when only Phase 1 of PEAP is executed. In Phase 2, the previous authentication state is reused. Users are not required to reauthenticate until the PEAP session timeout expires. The PEAP session timer is independent of the RADIUS session timer, which is used to control the volatility of dynamic encryption keys with EAP. Q. Can I use PEAP with LDAP or Novell NDS databases? A. Yes. PEAP provides interoperability with both LDAP and Novell NDS. Q. Where can I learn more about deploying PEAP? A. Please read the Protected Extensible Authentication Protocol Application Note to learn more about deploying PEAP. Q. Where can I learn more about deploying secure WLANs? A. Please read the following documents to learn more about deploying secure WLANs: Wireless LAN Security White Paper Cisco Aironet Technical References Deployment Guide: Configuring the Cisco Wireless Security Suite Q. Where can I learn more about WLAN security? A. Please read the Cisco Wireless LAN Security brochure to learn more about WLAN security. Page 3 of 5

EAP TYPE COMPARISONS Q. What is the difference between the Microsoft PEAP supplicant and the Cisco PEAP supplicant? A. Both supplicants support PEAP, but each supports different methods of client authentication through the TLS tunnel. The Microsoft PEAP supplicant supports client authentication by only MS-CHAP Version 2, which limits user databases to those that support MS-CHAP Version 2, such as Domains and Active. The Cisco PEAP supplicant supports client authentication by OTPs and logon passwords, enabling support for OTP databases from vendors (such as RSA Security and Secure Computing Corporation) and logon password databases (such as LDAP and Novell NDS) as well as Microsoft databases. In addition, the Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established. This provides additional confidentiality that user names are not being broadcast during the authentication phase. Q. What are the differences between PEAP, EAP-Flexible Authentication via Secure Tunneling (FAST), Cisco LEAP, and EAP-TLS? A. Table 1 provides a summary comparison of PEAP, EAP-FAST, Cisco LEAP, and EAP-TLS. Table 1. PEAP, EAP-FAST, Cisco LEAP and EAP-TLS Comparison Chart PEAP with Generic Token Card (GTC) User Authentication OTP, LDAP, Novell Database and Server Requires Server Certificates Requires Client Certificates Operating System Support Application-Specific Device (ASD) Support Credentials used Single Sign-On Using Windows Login NDS, Domains, Active PEAP with Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2 EAP-FAST Cisco LEAP EAP-TLS OTP, LDAP, Novell Domains, Active Domains, Active Domains, Active NDS,, LDAP Domains, Active (limited) Yes Yes No No Yes No No No No Yes Windows CE* Windows CE Windows CE*** Driver: Windows 98,, Windows Me, Windows XP, Mac OS, Linux, Windows CE, DOS Windows CE Other OS No No Yes Yes No Client: Windows, Windows password Windows password, Windows Digital certificate Novell NDS, LDAP LDAP user password**** password; OTP or ID/password (manual token provisioning required Server: Digital for Pac provisioning) certificate No Yes Yes Yes Yes Page 4 of 5

Password Expiration and Change Works with Fast Secure Roaming Works with WPA and WPA2 PEAP with Generic Token Card (GTC) PEAP with Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2 EAP-FAST Cisco LEAP EAP-TLS No Yes Yes No No No Yes Yes No Yes Yes Yes Yes Yes * PEAP/GTC is supported on Cisco Compatible Version 2 clients and above. ** Greater operating system coverage is available with Meetinghouse and Funk supplicants. *** Cisco Aironet 350 Series WLAN client devices and Cisco Aironet 5 GHz 54 Mbps Wireless LAN Client Adapters (CB20A) support EAP-FAST on Windows XP, and Windows CE operating systems. **** Requires strong passwords. Read more at: Cisco Response to Dictionary Attacks on Cisco LEAP. FOR MORE INFORMATION For more information about the Cisco Unified Wireless Network, visit: http://www.cisco.com/go/unifiedwireless For more information about Cisco Aironet products, visit: http://www.cisco.com/go/aironet Read the Cisco Wireless LAN Security brochure at: http://www.cisco.com/en/us/prod/collateral/wireless/ps5678/ps430/ps4076/prod_brochure09186a00801f7d0b.html For more information about EAP-FAST, visit: http://www.cisco.com/en/us/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml For more information about Cisco LEAP, visit: http://www.cisco.com/en/us/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764f1.shtml For more information about 802.11i, WPA and WPA2, visit: http://www.cisco.com/en/us/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801e3e59.shtml Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback