Are you confused about authentication methods within 802.1x? If so, you're not alone. For example, one SearchMobileComputing.com...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
reader sent in a question about the various authentication methods. He noted that there are references to many different authentication methods, but does that mean you can use any? One or more? And what difference does it make?
Here's the question, edited just a bit:
"When deploying 802.1x, can we use EAP-MD5, EAP-TLs, token cards, Kerberos, one-time passwords, or certificates as the authentication method? (Some others even call these "authentication types" and that makes it even more confusing).
"Or do EAP-MD5, EAP-TLs, etc. and token cards, Kerberos, etc. actually play different roles in 802.1x and EAP infrastructure? Please help me to clarify this issue and thanks in advance."
SearchMobileComputing.com mobile security expert Kevin Beaver replied on September 25.
"The 802.1x framework utilizes Extensible Authentication Protocol (EAP) as a way to authenticate and control traffic on protected wired and wireless networks. 802.1x is just a framework that various products support. When using this framework, you can use EAP for authentication of the traffic. Within EAP, you can choose one of the various authentication methods (tokens, PKI, etc.). Check out the following links for more information:
Ed. Note: The first of these references states the following, in part:
"After the link establishment phase is complete, the authenticator sends one or more requests to authenticate the peer. The request has a type field to indicate what is being requested. Examples of request types include identity, MD5-challenge, one-time passwords, generic token card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol.
Typically, the authenticator will send an initial identity request followed by one or more requests for authentication information. However, an initial identity request is not required, and may be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.)."