Tip

How do you authenticate in 802.1x?

Are you confused about authentication methods within 802.1x? If so, you're not alone. For example, one SearchMobileComputing.com reader sent in a question about the various authentication methods. He noted that there are references to many different authentication methods, but does that mean you can use any? One or more? And what difference does it make?

Here's the question, edited just a bit:

"When deploying 802.1x, can we use EAP-MD5, EAP-TLs, token cards, Kerberos, one-time passwords, or certificates as the authentication method? (Some others even call these "authentication types" and that makes it even more confusing).

"Or do EAP-MD5, EAP-TLs, etc. and token cards, Kerberos, etc. actually play different roles in 802.1x and EAP infrastructure? Please help me to clarify this issue and thanks in advance."

SearchMobileComputing.com mobile security expert Kevin Beaver replied on September 25.

"The 802.1x framework utilizes Extensible Authentication Protocol (EAP) as a way to authenticate and control traffic on protected wired and wireless networks. 802.1x is just a framework that various products support. When using this framework, you can use EAP for authentication of the traffic. Within EAP, you can choose one of the various authentication methods (tokens, PKI, etc.). Check out the following links for more information:

    Requires Free Membership to View

EAP
802.1X"

Ed. Note: The first of these references states the following, in part:

"After the link establishment phase is complete, the authenticator sends one or more requests to authenticate the peer. The request has a type field to indicate what is being requested. Examples of request types include identity, MD5-challenge, one-time passwords, generic token card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol.

Typically, the authenticator will send an initial identity request followed by one or more requests for authentication information. However, an initial identity request is not required, and may be bypassed in cases where the identity is presumed (leased lines, dedicated dial-ups, etc.)."



This was first published in October 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.