Cisco CCNA Study Guide - Router Alley

More documents

Recommendations

Info

CCNA Study Guide v2.62 – Aaron Balchunas 132 802.1X and Extensible Authentication Protocol (EAP) The 802.1X standard was developed by the IEEE to authenticate devices on a Layer-2 port basis. It was originally developed for Ethernet (802.3) bridges and switches, but was expanded to support the authentication of 802.11 wireless devices as well. 802.1X defines three roles in the authentication process: • Supplicant – the device being authenticated. In an 802.11 environment, the supplicant would be the wireless client software. • Authenticator – the device that is requiring the authentication. In an 802.11 environment, this is often the WAP. • Authentication Server – the device that stores the user database, for validating authentication credentials. This is often an external RADIUS server, though some WAPs support a local user database. 802.1X provides the encapsulation of Extensible Authentication Protocol (EAP) traffic, which serves as the framework for authenticating clients. EAP is not an authentication mechanism in itself. Instead, EAP transports the authentication data between supplicants, authenticators, and authentication servers (all three of which must support 802.1X/EAP). As a general framework, EAP supports a large number of methods for authentication, including (but not limited to): • Lightweight EAP (LEAP) • EAP - Flexible Authentication via Secure Tunneling (EAP-FAST) • EAP - Transport Layer Security (EAP-TLS) • Protected EAP (PEAP) With any form of EAP, wireless clients must authenticate with a RADIUS server before any data traffic will be forwarded. Only EAP traffic is allowed between the client and WAP before authentication occurs. Authenticating clients using 802.1X/EAP offers several advantages over Static-WEP and WPA-PSK, including: • Centralized management of credentials • Support for multiple encryption types • Dynamic encryption keys (Reference: http://en.wikipedia.org/wiki/IEEE_802.1X; http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol; http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF) * * * All original material copyright © 2013 by Aaron Balchunas (aaron@routeralley.com), unless otherwise noted. All other material copyright © of their respective owners. This material may be copied and used freely, but may not be altered or sold without the expressed written consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
CCNA Study Guide v2.62 – Aaron Balchunas 133 Lightweight Extensible Authentication Protocol (LEAP) Lightweight Extensible Authentication Protocol (LEAP) was developed by Cisco, and is supported by WPA/WPA2 as an 802.1X authentication method. LEAP employs a username/password for authentication via a RADIUS server, and does not require the use of certificates. LEAP is supported by most operating system, including Mac OS, Linux, DOS, and most versions of Windows. LEAP additionally supports single sign-on in Windows environments, allowing clients to perform Active Directory (or NT Domain) and 802.1X authentication simultaneously. LEAP authentication is a multi-step process: 1. The supplicant initiates the connection with a Start message. 2. The authenticator responds with a Request/Identity message. 3. The supplicant responds with an Identity message containing a username. 4. The authenticator then forwards the username to the authentication server with an Access Request message. 5. The supplicant and authentication server then authenticate each other using a challenge/response method. The authentication server sends a randomly-generated challenge to the supplicant. The supplicant then generates a hash value from the challenge and its password, using MD5. This hash value serves as the response back to the authentication server, and eliminates the need for the actual password to be transmitted between the two devices. 6. A Success message is generated if the supplicant and authentication server have successfully authenticated each other, which informs the authenticator that the supplicant can now pass data traffic. Once authentication is completed, the supplicant and authentication server then generate a pairwise master key (PMK). The PMK is used to create the actual encryption keys for data transfer, via a four-way handshake. LEAP was built on a variation of MS-CHAP, and is thus vulnerable to dictionary attacks. A strong password policy is extremely important when employing LEAP in a business environment. If strong passwords are not possible, Cisco recommends utilizing EAP-FAST instead of LEAP. (Reference: http://www.ciscosistemi.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764f1.html; http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf; CCNP ONT Exam Certification Guide, Amir Ranjbar. Pages 262-264) * * * All original material copyright © 2013 by Aaron Balchunas (aaron@routeralley.com), unless otherwise noted. All other material copyright © of their respective owners. This material may be copied and used freely, but may not be altered or sold without the expressed written consent of the owner of the above copyright. Updated material may be found at http://www.routeralley.com.
Page 1 and 2:
CCNA Study Guide v2.62 - Aaron Balc
Page 3 and 4:
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83: CCNA Study Guide v2.62 - Aaron Balc
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 298 and 299:
Page 300 and 301:
Page 302 and 303:
Page 304:
show all

Cisco CCNA Study Guide - Router Alley

Create successful ePaper yourself

Delete template?

Save as template?