Security

Reply
Regular Contributor I

EAP without certificates

Hi guys,

 

The following is an excerpt of the ACCP Student Guide:EAP.pngAre certificates mandatory always in 802.1X? Can 802.1X be used only authenticating usernames and passwords without certificates? When I select the authentication method in Windows, all the options require certificates:eapwindows.png

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

PEAP and EAP-TTLS require a service-side certificate. EAP-TLS requires both a server certificate and client certificate.

 

EAP-TLS is the recommended EAP method going forward.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: EAP without certificates

Hi Tim,

 

I didn't express correctly in my previous message. I meant if there is anyway to authenticate with a RADIUS server by 802.1X with just username and password, and without certificates.

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

No. PEAPv0/EAP-MSCHAPv2 and EAP-TTLS require a server certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: EAP without certificates

Then when using 802.1X with a RADIUS server it is also mandatory to use PEAP/EAP-TLS/EAP-TTLS which require certificate?

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

There are many EAP methods available depending on what you're trying to do and what your clients support. For username/password, PEAP and EAP-TTLS are commonly used and require a server certificate (and some inner methods require a client certificate).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee

Re: EAP without certificates

Julian,

 

If you want to use 802.1X with EAP-TLS protocol  then we need both client and server certificate  and for EAP-PEAP/TTLS we need server certificate.

 

In EAP-TLS protocol, client need to trust server certificate and server need to trust client for authentication to success where as in EAP-PEAP protocol, we need password and server certificate for client to authenticate.

 

Regards,

Pavan

 

 

Regular Contributor I

Re: EAP without certificates

Yes, and I have just seen an article and it seems the only methods you can use to avoid certificates are LEAP and some flavors of EAP-FAST, which both are Cisco propietary:

eap.PNG

 

Regards,

Julián

Aruba Employee

Re: EAP without certificates

Julian,

 

EAP-LEAP have security vulnerabilty and where as EAP-FAST have little advantage compare to PEAP not in security related and most devices does not support EAP-FAST.

 

We recommand to use EAP-PEAP for meduim secruity and for high security go for EAP-TLS.

 

Regards,

Pavan

 

Guru Elite

Re: EAP without certificates

Julian - What is your specific question? We seem to be going in circles here.

EAP-TLS is the only recommended method at this point in time.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: