Security

Reply

EAP without certificates

Hi guys,

 

The following is an excerpt of the ACCP Student Guide:EAP.pngAre certificates mandatory always in 802.1X? Can 802.1X be used only authenticating usernames and passwords without certificates? When I select the authentication method in Windows, all the options require certificates:eapwindows.png

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

PEAP and EAP-TTLS require a service-side certificate. EAP-TLS requires both a server certificate and client certificate.

 

EAP-TLS is the recommended EAP method going forward.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: EAP without certificates

Hi Tim,

 

I didn't express correctly in my previous message. I meant if there is anyway to authenticate with a RADIUS server by 802.1X with just username and password, and without certificates.

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

No. PEAPv0/EAP-MSCHAPv2 and EAP-TTLS require a server certificate.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: EAP without certificates

Then when using 802.1X with a RADIUS server it is also mandatory to use PEAP/EAP-TLS/EAP-TTLS which require certificate?

 

Regards,

Julián

Guru Elite

Re: EAP without certificates

There are many EAP methods available depending on what you're trying to do and what your clients support. For username/password, PEAP and EAP-TTLS are commonly used and require a server certificate (and some inner methods require a client certificate).


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: EAP without certificates

Julian,

 

If you want to use 802.1X with EAP-TLS protocol  then we need both client and server certificate  and for EAP-PEAP/TTLS we need server certificate.

 

In EAP-TLS protocol, client need to trust server certificate and server need to trust client for authentication to success where as in EAP-PEAP protocol, we need password and server certificate for client to authenticate.

 

Regards,

Pavan

 

 

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!

Re: EAP without certificates

Yes, and I have just seen an article and it seems the only methods you can use to avoid certificates are LEAP and some flavors of EAP-FAST, which both are Cisco propietary:

eap.PNG

 

Regards,

Julián

Re: EAP without certificates

Julian,

 

EAP-LEAP have security vulnerabilty and where as EAP-FAST have little advantage compare to PEAP not in security related and most devices does not support EAP-FAST.

 

We recommand to use EAP-PEAP for meduim secruity and for high security go for EAP-TLS.

 

Regards,

Pavan

 

Regards,
Pavan
If my post address your queries, give kudos and accept as solution!
Guru Elite

Re: EAP without certificates

Julian - What is your specific question? We seem to be going in circles here.

EAP-TLS is the only recommended method at this point in time.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: