6/15/19
In my travels with security of internal and external networks after you get all of the physical controls, and then you get the network, the storage, virtualization and such in place and you get the standard Windows-based controls working your always asked what more can we do?
Usually this means we start deploying more defense-in-depth layers and one can be a PKI and pushing certificates to client machines/servers and then deciding upon how we are going to use these certificates.
See there is things such as NAC in the Windows world that uses a server role known as Network Policy Services and this uses RADIUS. You set up the authenticator and authentication server (NPS) but then your left with a choice: do you just use Kerberos or do you use a certificate or both?
Now I know this is not a catch all or be all example of EAP but it’s one in which probably most will agree fits best in the IT world. Since Microsoft makes up the vast majority of systems in the world. Let’s continue.
There are a few Extensible Authentication Protocols in use today:
- EAP-TLS
- This protocol requires a client-side X.509 certificates without giving the option to disable the requirement, thus making it one of the strongest forms of EAP
- Because a certificate is required its what gives EAP-TLS its authentication strength
- With a client-side certificate, knowing a users password is not enough to gain access to the machine and/or network without the certificate
- This can be used when a Windows-based infrastructure isn’t used
- EAP-PSK
- This protocol requires a pre-shared key for mutual authentication and a session key
- It’s widely used with 802.11
- EAP-TTLS
- This protocol functions similar to EAP-TLS but with two exceptions, a certificate is not a requirement for clients but merely a recommended suggestion thus giving a vastly easier deployment option and the other exception, a tunnel is created thus providing confidentiality
- The servers are required to be authenticated to the PKI servers and the client uses the servers certificate to make a secure “tunnel” connection.
- Once the server makes the secure “tunnel” it will then authenticate the client with standard network authentication like Active Directory encapsulated in the “tunnel” and at no point is the information sent in clear-text thus providing the stated confidentiality
- This can be used when a Windows-based infrastructure isn’t used
- EAP-IKEv2
- This protocol provides mutual authentication and session key establishment between an EAP peer and an EAP server but allow for three different types of authentication:
- Asymmetric
- Symmetric
- Shared Passwords
- Typically find this used with firewalls and VPN’s.
- This protocol provides mutual authentication and session key establishment between an EAP peer and an EAP server but allow for three different types of authentication:
- EAP-MSCHAPv2
- Uses Microsoft’s version of Challenged Handshake Authentication Protocol
- Requires the certificate to be deployed to the client/server prior to establishing a connection with the server/client
- Typically used in conjunction with PEAP which encapsulates EAP-MSCHAPv2 embedded inside of a TLS tunnel that, can be, encrypted thus providing confidentiality, a key trait that CHAP by itself lacks
- This is used mainly in Windows-based infrastructures
These are the EAP I’ve used, there are a few others that are used by the likes of Cisco but I haven’t used those yet. In another article I’ll talk about the encapsulation types used with the above EAP’s. 🙂
Only wanted to spend an hour on this article, so, gotta focus on more tasks and I’ll come back to this soon.
Cheers! 😀
Related Article: https://www.g15it.com/cyber-security-networking-windows-is-802-1x-important/
https://www.g15it.com/wp-admin/post.php?post=1326&action=edit