net-auth.md 1.3 KB
title: Network Authentication breadcrumbs:
- title: Network --- {% include header.md %}
General
- Most types of network authentication, where a client authenticates itself to a switch or a wireless access point, uses IEEE 802.1X (aka dot1x) (excluding approaches like e.g. PSK and MACsec).
- Extensible Authentication Protocol (EAP) is generally the framework used for dot1x, using Remote Authentication Dial-In User Service (RADIUS) as the underlying protocol.
- Examples of authentication servers include FreeRADIUS and Cisco ISE, which may use internal client identities or use an upstream identity provider like Active Directory (AD).
Usage Examples
- TODO
Extensible Authentication Protocol (EAP)
TODO
- WPA Enterprise w/o provider certificate validation is unsafe? Yes.
- PEAP encapsulates inner authentication method, e.e. EAP-MSCHAPv2, using e.g. TLS.
- MS-CHAPv2 is old and uses DES. Inside PEAP is fine.
- Both PEAP and MS-CHAPv2 provide mutual authentication and don't transmit the password in plaintext.
- EAP-TLS requires the client device to have both the provider cert and a provider-provided client cert (with private key).
- PEAPv0 with EAP-MSCHAPv2 without CA cert validation = bad and crackable.
Tips and Best Practices
{% include footer.md %}