Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP without certificates

This thread has been viewed 4 times

  • 1.  EAP without certificates

    Posted Jul 03, 2017 01:53 PM

    Hi guys,

     

    The following is an excerpt of the ACCP Student Guide:EAP.pngAre certificates mandatory always in 802.1X? Can 802.1X be used only authenticating usernames and passwords without certificates? When I select the authentication method in Windows, all the options require certificates:eapwindows.png

     

    Regards,

    Julián



  • 2.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 03, 2017 01:56 PM

    PEAP and EAP-TTLS require a service-side certificate. EAP-TLS requires both a server certificate and client certificate.

     

    EAP-TLS is the recommended EAP method going forward.



  • 3.  RE: EAP without certificates

    Posted Jul 04, 2017 11:45 AM

    Hi Tim,

     

    I didn't express correctly in my previous message. I meant if there is anyway to authenticate with a RADIUS server by 802.1X with just username and password, and without certificates.

     

    Regards,

    Julián



  • 4.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 04, 2017 11:47 AM

    No. PEAPv0/EAP-MSCHAPv2 and EAP-TTLS require a server certificate.



  • 5.  RE: EAP without certificates

    Posted Jul 04, 2017 11:55 AM

    Then when using 802.1X with a RADIUS server it is also mandatory to use PEAP/EAP-TLS/EAP-TTLS which require certificate?

     

    Regards,

    Julián



  • 6.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 04, 2017 12:00 PM

    There are many EAP methods available depending on what you're trying to do and what your clients support. For username/password, PEAP and EAP-TTLS are commonly used and require a server certificate (and some inner methods require a client certificate).



  • 7.  RE: EAP without certificates

    Posted Jul 04, 2017 12:07 PM

    Yes, and I have just seen an article and it seems the only methods you can use to avoid certificates are LEAP and some flavors of EAP-FAST, which both are Cisco propietary:

    eap.PNG

     

    Regards,

    Julián



  • 8.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 04, 2017 12:24 PM

    Julian,

     

    EAP-LEAP have security vulnerabilty and where as EAP-FAST have little advantage compare to PEAP not in security related and most devices does not support EAP-FAST.

     

    We recommand to use EAP-PEAP for meduim secruity and for high security go for EAP-TLS.

     

    Regards,

    Pavan

     



  • 9.  RE: EAP without certificates

    Posted Jul 04, 2017 12:28 PM

    Hi Tim and Pavan,

     

    Ok, understood. Many thanks for your interest!

     

    Regards,

    Julián



  • 10.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 04, 2017 12:27 PM

    Julian - What is your specific question? We seem to be going in circles here.

    EAP-TLS is the only recommended method at this point in time.



  • 11.  RE: EAP without certificates

    EMPLOYEE
    Posted Jul 04, 2017 12:03 PM

    Julian,

     

    If you want to use 802.1X with EAP-TLS protocol  then we need both client and server certificate  and for EAP-PEAP/TTLS we need server certificate.

     

    In EAP-TLS protocol, client need to trust server certificate and server need to trust client for authentication to success where as in EAP-PEAP protocol, we need password and server certificate for client to authenticate.

     

    Regards,

    Pavan