1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-330W
    5. /
  5. 25
Page 121 / 141 Scroll up to view Page 116 - 120
ZyXEL P-330W User’s Guide
121
Appendix D Wireless LAN and IEEE 802.11
Page 122 / 141
ZyXEL P-330W User’s Guide
Appendix E Wireless LAN With IEEE 802.1x
122
Appendix E
Wireless LAN With IEEE 802.1x
As wireless networks become popular for both portable computing and corporate networks,
security is now a priority.
Security Flaws with IEEE 802.11
Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The
IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC
address. As the MAC address is sent across the wireless link in clear text, it is easy to spoof
and fake. Even the WEP (Wire Equivalent Privacy) data encryption is unreliable as it can be
easily decrypted with current computer speed
Deployment Issues with IEEE 802.11
User account management has become a network administrator’s nightmare in a corporate
environment, as the IEEE 802.11b standard does not provide any central user account
management. User access control is done through manual modification of the MAC address
table on the access point. Although WEP data encryption offers a form of data security, you
have to reset the WEP key on the clients each time you change your WEP key on the access
point.
IEEE 802.1x
In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to
support extended authentication as well as providing additional accounting and control
features. It is supported by Windows XP and a number of network devices.
Advantages of the IEEE 802.1x
User based identification that allows for roaming.
Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for
centralized user profile and accounting management on a network RADIUS server.
Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional
authentication methods to be deployed with no changes to the access point or the wireless
clients.
Page 123 / 141
ZyXEL P-330W User’s Guide
123
Appendix E Wireless LAN With IEEE 802.1x
RADIUS Server Authentication Sequence
The following figure depicts a typical wireless network with a remote RADIUS server for user
authentication using EAPOL (EAP Over LAN).
Figure 85
Sequences for EAP MD5–Challenge Authentication
Page 124 / 141
ZyXEL P-330W User’s Guide
Appendix F Types of EAP Authentication
124
Appendix F
Types of EAP Authentication
This appendix discusses the five popular EAP authentication types:
EAP-MD5
,
EAP-TLS
,
EAP-TTLS
,
PEAP
and
LEAP
.
The type of authentication you use depends on the RADIUS server or the AP. Consult your
network administrator for more information.
EAP-MD5 (Message-Digest Algorithm 5)
MD5 authentication is the simplest one-way authentication method. The authentication server
sends a challenge to the wireless station. The wireless station ‘proves’ that it knows the
password by encrypting the password with the challenge and sends back the information.
Password is not sent in plain text.
However, MD5 authentication has some weaknesses. Since the authentication server needs to
get the plaintext passwords, the passwords must be stored. Thus someone other than the
authentication server may access the password file. In addition, it is possible to impersonate an
authentication server as MD5 authentication method does not perform mutual authentication.
Finally, MD5 authentication method does not support data encryption with dynamic session
key. You must configure WEP encryption keys for data encryption.
EAP-TLS (Transport Layer Security)
With EAP-TLS, digital certifications are needed by both the server and the wireless stations
for mutual authentication. The server presents a certificate to the client. After validating the
identity of the server, the client sends a different certificate to the server. The exchange of
certificates is done in the open before a secured tunnel is created. This makes user identity
vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the
sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to
handle certificates, which imposes a management overhead.
EAP-TTLS (Tunneled Transport Layer Service)
EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the
server-side authentications to establish a secure connection. Client authentication is then done
by sending username and password through the secure connection, thus client identity is
protected. For client authentication, EAP-TTLS supports EAP methods and legacy
authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
Page 125 / 141
ZyXEL P-330W User’s Guide
125
Appendix F Types of EAP Authentication
PEAP (Protected EAP)
Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection,
then use simple username and password methods through the secured connection to
authenticate the clients, thus hiding client identity. However, PEAP only supports EAP
methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card),
for client authentication. EAP-GTC is implemented only by Cisco.
Table 49
Comparison of EAP Authentication Types
EAP-MD5
EAP-TLS
EAP-TTLS
PEAP
Mutual Authentication
No
Yes
Yes
Yes
Certificate – Client
No
Yes
Optional
Optional
Certificate – Server
No
Yes
Yes
Yes
Dynamic Key Exchange
No
Yes
Yes
Yes
Credential Integrity
None
Strong
Strong
Strong
Deployment Difficulty
Easy
Hard
Moderate
Moderate
Client Identity Protection
No
No
Yes
Yes

Rate

3.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top