802.1x Wireless Security protocols is always be a concern and in Wi-Fi Technology Security will play an important role in corporate network. As we all know that Wi-Fi works on signal strength, and we can not control the signal to spread. So, it is very easy to connect with your Wi-Fi network and hack your network if you do not have strong Security on Wireless network.
(Disclaimer : This blog is only for educational and informational Purpose only. We believes that everyone is aware about technology, Security, Ethical Hacking, Cyber Security and how to avoid such risks. All our blogs have been made using our own knowledge, experience, server, lab etc. It does not contain any illegal activities. Our sole purpose is to share our knowledge only. Any related word, things, activity, example are simply coincidence only. Kbrosis Technologies is not responsible for misuse of provided information).
Centralized Authentication
Centralized authentication is the act of verifying the user’s identity by a means other than the local definitions. In this scenario, a Public Key Infrastructure (PKI) is usually in place. PKI uses digital certificates that are cryptographically signed by a trusted third party. The trusted third party is called a Certificate Authority (CA). CA certificate contains the following information:
■ Username
■ Public key
■ Serial number
■ Valid dates
■ The CA’s information
These certificates are used for 802.1x authentication. This is a centralized method of authentication that can use various Extensible Authentication Protocol (EAP) methods of authenticating a client to an Authentication, Authorization, and Accounting (AAA) server.
802.1X WITH The EAP Process
802.1x process is a normal process for authentication with radius server.802.1x is nothing more than a framework. EAP controls how the user credentials are sent under the premise that no matter what EAP method you use, they will all use the same process. It involves the following steps:
Step 1. The client requests access.
Step 2. The client is queried for its identity.
Step 3. The client provides the proof.
Step 4. The client gets an answer from the server.
EAP-TLS-Extensible Authentication Protocol-Transport Layer Security
It is a commonly used EAP method for wireless networks. In EAP-TLS, a certificate must be installed on both the authentication server and the supplicant. For this reason, it is considered one of the most secure methods available.
This would require both client and server key pairs to be generated first and then signed by a CA server. EAP-TLS establishes an encrypted tunnel in which a user certificate is sent inside it, the process begins with an EAP Start message.
Next, the AP requests the client’s identity. The client responds with its identity, and this is sent via EAP over RADIUS to the authentication server. The authentication server sends its certificate, and the client sends its certificate, thus proving their identity to each other.
Next, symmetric session keys (also called master session keys) are created. The authentication server sends the master session key to the AP or controller to be used for either WEP or WPA/WPA2 encryption between the AP and the client.
EAP-FAST–Extensible Authentication Protocol-Flexible Authentication via Secure Tunnel
It is a protocol that was developed by Cisco Systems. Its purpose was to address weaknesses in Lightweight Extensible Authentication Protocol (LEAP), another Cisco-developed EAP method.
The concept of EAP-FAST is similar to EAP-TLS; however, EAPFAST does not use PKI. Instead, EAP-FAST uses a strong shared secret key called a Protected Access Credential (PAC) that is unique on every client. EAP-FAST negotiation occurs as follows:
- The client sends an EAPoL start to the AP.
- The AP, which is the authenticator, sends back an EAP Identity Request Message.
- The client sends a response to the authenticator. It is forwarded to the authentication server (AAA server) in a RADIUS packet.
- The authentication server sends an EAP-FAST start message that includes an Authority ID (A-ID).
- The client sends a PAC based on the received A-ID. The client also sends a PAC Opaque reply to the server. The PAC Opaque is a variable-length field that can be interpreted only by the authentication server. The PAC Opaque is used to validate the client’s credentials.
- The authentication server decrypts the PAC Opaque using a master key that was used to derive the PAC key. The authentication server sends an EAP-TLS Server hello along with the Cipher Trust Protocol Set.
- If the keys match, a TLS tunnel is established, with the client sending a confirmation.
- The server sends an identity request inside the TLS tunnel using a protocol such as Extensible Authentication Protocol-Generic Token Card (EAP-GTC).
- The client sends an authentication response.
- The server sends a Pass or Fail message. The Pass message indicates that the client is successfully authenticated.
PEAP-Protected EAP
With Protected EAP (PEAP), only a server-side certificate is used. This server-side certificate is used to create a tunnel, and then the real authentication takes place inside.
The PEAP method was jointly developed by Cisco Systems, Microsoft, and RSA. PEAP uses Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic Token Card (GTC) to authenticate the user inside an encrypted tunnel.
In PEAP, the following occurs:
- The client sends an EAPoL start, and the authenticator returns a request for identity. This is similar to the other EAP methods.
- The client returns its identity, and it is forwarded to the AAA server.
- The AAA server sends a server certificate and begins establishing a TLS tunnel.
- The client returns a premaster secret.
- The tunnel is established.
- The AAA server sends an identity request to the client.
- The AAA client sends an identity response.
- The server sends an EAP-MS-CHAPv2 challenge.
- The client enters credentials into a popup, and that is sent back as an EAP-MSCHAPv2 response.
- The server returns a pass or fail. If it’s a pass, the user can send traffic.
LEAP-Lightweight Extensible Authentication Protocol:
It is developed by Cisco System as a proprietary protocol and it was basically designed for Cisco older version Wifi products.
Visit to our site : https://www.kbrosistechnologies.com/
Watch more Video https://www.youtube.com/channel/UCpcd6IshE1caAbf9EdJd3gw
https://www.youtube.com/channel/UCTbOmLTSlHggEBkt5wFGNRA
FAQ
Q. What is 802.1x EAP process?
A. 02.1x process is a normal process for authentication with radius server.
Q. What is 802.1x EAP-TLS?
A. EAP-TLS-Extensible Authentication Protocol-Transport Layer Security, used EAP method for wireless networks. In EAP-TLS, a certificate must be installed on both the authentication server and the supplicant. For this reason, it is considered one of the most secure methods available.
Q. What is 802.1x EAP-FAST?
A. EAP-FAST–Extensible Authentication Protocol-Flexible Authentication via Secure Tunnel, developed by Cisco Systems. Its purpose was to address weaknesses in Lightweight Extensible Authentication Protocol (LEAP), another Cisco-developed EAP method.
Q. What is 802.1x PEAP?
A. With Protected EAP (PEAP), only a server-side certificate is used. This server-side certificate is used to create a tunnel, and then the real authentication takes place inside.