Different authentication types are supported when using 802.1x on a WLAN .

• LEAP - Lightweight EAP (LEAP) is also called EAP-Cisco. LEAP is the Cisco version of EAP. It is used on networks that currently do not support EAP. The current versions of EAP may not provide the functionality that is needed or may be too demanding. This could compromise the performance of the WLAN equipment. LEAP is a good choice when using Cisco equipment in conjunction with operating systems like Windows 95, Windows 98, Windows Me, Windows CE, Windows NT/2000/XP, and Linux.
• EAP-TLS - EAP-Transport Layer Security (EAP-TLS) is a labor-intensive security option. EAP-TLS requires a digital certificate configured on all WLAN Clients and on the Server. EAP-TLS is based on X.509 certificates. It is usually easier to use than PEAP, which is based on EAP-TLS.
• PEAP - Protected EAP (PEAP) is a draft EAP authentication type that is designed to allow hybrid authentication. PEAP employs server-side PKI authentication. For client-side authentication, PEAP can use any other EAP authentication type. Because PEAP establishes a secure tunnel via server-side authentication, non-mutually authenticating EAP types can be used for client-side authentication. Client-side authentication options include EAP-GTC for one-time passwords and EAP-MD5 for password-based authentication. PEAP is based on server-side EAP-TLS and it addresses the manageability and scalability shortcomings of EAP-TLS. Organizations can avoid the issues associated with installing digital certificates on every client machine as required by EAP-TLS. They can then select the method of client authentication that best suits them.
• EAP-MD5 - Extensible Authentication Protocol MD5 (EAP-MD5) should not be used, because it does not provide mutual authentication. EAP-MD5 is a one-way authentication that essentially duplicates CHAP password protection on a WLAN. EAP-MD5 is used as a building block in EAP-TTLS.
• EAP-OTP - EAP-One Time Passwords (EAP-OTP) is also called EAP- Generic Token Card (EAP-GTC). It is not recommended, since OTPs are not a form of mutual authentication.
• EAP-SIM - EAP-SIM uses the same smart card or SIM that is used in GSM mobile phones to provide authentication. EAP-SIM can easily ride on EAP-TLS.
• EAP-TTLS - EAP-Tunneled Transport Layer Security (EAP-TTLS) is an IETF draft authored by Funk software and Certicom. EAP-TTLS provides similar functionality to PEAP. EAP-TTLS protects passwords by using TLS, which is an advanced form of Secure Socket Layer (SSL). EAP-TTLS currently requires a Funk software RADIUS server.
• Kerberos - Kerberos is not part of the 802.1x standard, but it is being recommended by some vendors. Kerberos is an authentication system enabling protected communication over an open network, which uses a unique key called a ticket. It requires service configuration. PEAP can support Kerberos through EAP-Generic Security Service (EAP-GSS).

 

Lab Activity Lab 8.4.5.1 - Configuring LEAP/EAP using Local RADIUS Authentication In this lab, the student will learn about the second generation of Wireless LAN security and how to implement LEAP on a Wireless LAN for secure client authentication.

 

Lab Activity Lab 8.4.5.2 - Configuring LEAP/EAP using Cisco Secure ACS In this lab, the student will learn about the second generation of Wireless LAN security and how to implement LEAP on a Wireless LAN for secure client authentication.

Interactive Activity Demostration Activiy: Configure LEAP/EAP using VxWorks GUI In this activity, students will learn about Cisco VPN devices.