Self-Help Knowledge
Base Articles

 

OneTouch AT: 802.1x Authentication & EAP Configuration (Wireless)

 
 
Views: 0
 

The OneTouch AT provides 802.1x authentication for both (LAN/WLAN). The idea behind 802.1x authentication is to prevent rogue devices from connecting to your LAN. Each device must authenticate to the authentication server before being granted access.

802.1x Configuration

  1. From the Home screen, tap Tools > Wi-Fi 
  2. From the Wi-Fi menu, tap On for Enable Connect
  3. Tap Security
  4. Then either tap WPA Enterprise or WPA2 Enterprise, depending on your environment.
  5. Select the appropriate EAP type.


The supported EAP types for OneTouch AT (Wireless) include the following:

EAP-FAST – It is a protocol proposal by Cisco Systems as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation.

EAP-TLS – Is an open standard that uses the TLS (Transport Layer Security) Protocol. It uses PKI to secure communication to a RADIUS authentication server or another type of authentication server

PEAP (Protected Extensible Authentication Protocol) – was designed to provide increased security over EAP in modern 802.1x environments. In PEAP, once the PEAP server and the PEAP client establish the TLS tunnel, the PEAP server generates an EAP-Identity request and transmits it down the TLS tunnel. The client responds to this second EAP-Identity request by sending an EAP-Identity response containing the user’s true identity down the encrypted tunnel. This prevents anyone eavesdropping on the 802.11 traffic from discovering the user’s true identity.

PEAP-MD5 – Lets a RADIUS server authenticate LAN stations by verifying an MD5 hash of each user's password.

PEAP-GTC – Was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel.

PEAP-MSChapV2 – Is the most common form of PEAP in use trailing just behind EAP-TLS. It uses MSCHAPv2 meaning it can authenticate to databases that support the MSCHAPv2 format, including Microsoft NT and Microsoft Active Directory.

PEAP-TLS – Is very similar to EAP-TLS, but is slightly more secure, because portions of the certificate in EAP-TLS that are unencrypted are encrypted in PEAP-TLS

TTLS (Tunneled Transport Layer Security) - With TTLS, the client typically authenticates via PAP or CHAP protected by the TLS tunnel. In this case, the client will include a User-Name attribute and either a Password or CHAP-Password attribute in the first TLS message sent after the tunnel is established.

TTLS-PAT - The client initiates PAP by tunneling User-Name and User-Password AVPs to the TTLS server.

TTLS-CHAP – Securely tunnels client password authentication within the TLS records. The client initiates MS-CHAP by tunneling User-Name, MS-CHAP-Challenge and MS-CHAP-Response AVPs to the TTLS server.

TTLS-MSCHAP – Securely tunnels client password authentication and MSCHAP response within the TLS records. The client initiates MS-CHAP by tunneling User-Name, MS-CHAP-Challenge and MS-CHAP-Response AVPs to the TTLS server.

TTLS-MSCHAPv2 – Securely tunnels client password authentication and MSCHAPv2 response within the TLS records. The client initiates MS-CHAP by tunneling User-Name, MS-CHAP-Challenge and MS-CHAP-Response AVPs to the TTLS server.

TTLS-EAP-MD5 – Secure tunnels the MD5 hash within the TLS records

TTLS-EAP-GTC – Securely tunnels the GTC token within the TLS records

TTLS-EAP-MSCHAPv2 -Securely tunnels client password authentication and MSCHAPv2 response within the TLS records. The client initiates MS-CHAP by tunneling User-Name, MS-CHAP-Challenge and MS-CHAP-Response AVPs to the TTLS server.

TTLS-EAP-TLS – Securely tunnels the EAP-TLS certificate within the TLS records.

Both PEAP and TTLS where created in response to PKI barrier in EAP-TTLS. Both TTLS and PEAP were designed to use older authentication mechanisms while retaining the strong cryptographic foundation of TLS.