How do you authenticate in 802.1x?

How do you authenticate in 802.1x?

Are you confused about authentication methods within 802.1x? If so, you're not alone. For example, one SearchMobileComputing.com reader sent in a question about the various authentication methods. He noted that there are references to many different authentication methods, but does that mean you can use any? One or more? And what difference does it make?

Here's the question, edited just a bit:

"When deploying 802.1x, can we use EAP-MD5, EAP-TLs, token cards, Kerberos, one-time passwords, or certificates as the authentication method? (Some others even call these "authentication types" and that makes it even more confusing).

"Or do EAP-MD5, EAP-TLs, etc. and token cards, Kerberos, etc. actually play different roles in 802.1x and EAP infrastructure? Please help me to clarify this issue and thanks in advance."

SearchMobileComputing.com mobile security expert Kevin Beaver replied on September 25.

"The 802.1x framework utilizes Extensible Authentication Protocol (EAP) as a way to authenticate and control traffic on protected wired and wireless networks. 802.1x is just a framework that various products support. When using this framework, you can use EAP for authentication of the traffic. Within EAP, you can choose one of the various authentication methods (tokens, PKI, etc.). Check out the following links for more information:

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

EAP
802.1X"

Ed. Note: The first of these references states the following, in part:

"After the link establishment phase is complete, the authenticator sends one or more requests to authenticate the peer. The request has a type field to indicate what is being requested. Examples of request types include identity, MD5-challenge, one-time passwords, generic token card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol.

Typically, the authenticator will send an initial identity request followed by one or more requests for authentication information. However, an initial identity request is not required, and may be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.)."


This was first published in October 2003

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top