EAP messages are exchanged between a supplicant and an authenticator, which are tunneled inside the EAPOL and RADIUS protocols
EAP introduces the philosophy that the supplicant should talk directly to the authentication server, with all intermediate devices acting only as relays
Tunnel and Non-Tunnel EAP
Supplicant sends its identity (name) in the clear to the authentication server. This is followed by an exchange that authenticates the authentication server to the user, and the user to the authentication server.
limitation of transmitting the user identity (but not the credentials) in the clear
Transmitting the challenge-response authentication exchange in the clear can facilitate some passive dictionary attacks, if user passwords are weak
To overcome these limitations, you can use a tunneled EAP architecture, in which an outer EAP encapsulates an inner EAP.
The outer EAP provides server authentication, and a cryptographically secure tunnel for the inner EAP method to run in.
Typical outer EAPs are PEAP and EAP-FAST. EAP-MSCHAPv2, EAP-TLS and EAP-GTC are commonly used for the inner EAP.
No comments:
Post a Comment