Well to be exact, the RADIUS server does not generate nor manage the
certificates. That is what your CA is for and this where most PKI
deployments get bogged down (how do you create certs, based on what
credentials, who creates them/has access to them, how do you securely
store them, what is the revocation policy, etc.). Once the cert is
generated, then it can be installed by the user or by an admin.
=20
At that point, your diagram is right on, though the arrows should be
bidirectional as supplicant and authentication server use certs to prove
to each other that they are valid (aka "mutual authentication").
=20
For those who would like more info on this, take a look at the
following:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.pdf
=20
Cheers.
=20
Paul
-----Original Message-----
From: mike greenberg [mailto:newbiecisco@;yahoo.com]=20
Sent: Tuesday, November 05, 2002 12:20 PM
To: Paul Forbes; [EMAIL PROTECTED]
Cc: mike greenberg
Subject: RE: EAP-TLS or LEAP with IPSec for wireless security
[7:56934]
=09
=09
Thank you Paul for you input. Even though we are not bounded by
HIPAA but=20
many of our customers are in the financial sector so we do have
to be=20
"security conscious". =20
Quick question, I know EAP-TLS uses Certificate so that the
Certificate has to=20
generated on the RADIUS server and install on the client
machine. That itself=20
takes care of Central Key Managment, rotation, etc... because
the RADIUS server=20
generates manages, change and rotate keys per user, per session
(Dynamic WEP)=20
thus eliminating the need to mannually manage keys. I thought
that is the very=20
idea of EAP-TLS....=20
Supplicant(Client)-------> Authenticator(WAP)-------->
Authentication Server(RADIUS)=20
Does that make sense?=20
Mike=20
Paul Forbes wrote:=20
Well, EAP-TLS is certainly more secure than LEAP for one
very simple
reason: LEAP uses NT credentials as the seed for the
dynamic WEP key,
whereas EAP-TLS uses certificates. Also, LEAP is a
little brittle in my
trials with it: to roam successfully between AP's the NT
credentials
need to be statically entered and stored in the Aironet
Client Utility.
If you practice password rotation (which I hope you do),
then every
client is going to have to muck with their ACU to
re-enter their NT
credentials. All in all, less secure and less
transparent than EAP-TLS.
=09
The problem we faced when trying to move to EAP-TLS was
client OS
support, as WinXP is currently the only OS that has
EAP-TLS support (and
PEAP for that matter if you're REALLY security
conscious). Yes, I know
you can use Funk or Meetinghouse, but both of those
solutions cost money
on a per client basis. When you have a heterogeneous
client base
(Windows2000, WinXP, WinCE, Linux and Mac OS X), EAP-TLS
and PEAP aren't
quite there.
=09
One thing I am curious about is why you'd be running
IPsec over
EAP-TLS/LEAP. Are you bound by HIPAA? If not, just use
EAP-TLS or LEAP
and the dynamic WEP keying (plus MIC, TKIP and broadcast
key rotation)
are, by all the tests and hacks I've seen/read, very
secure.
=09
Good luck.
=09
Paul Forbes
Network Engineer
Trimble
=09
=09
> -----Original Message-----
> From: mike greenberg [mailto:newbiecisco@;yahoo.com]=20
> Sent: Tuesday, November 05, 2002 11:21 AM
> To: [EMAIL PROTECTED]
> Subject: EAP-TLS or LEAP with IPSec for wireless
security [7:56934]
>=20
>=20
> All,
>=20
> I am about to implement EAL-TLS and IPSec for my
wireless network.=20
> Basically,
>=20
> this wireless segment is physically separated from my=20
> internal network via
> the
>=20
> firewall. It means that the wireless segment will be
hanging=20
> of my DMZ
> network
>=20
> (called wireless DMZ because the WAP will be in the
wireless=20
> DMZ network).=20
>=20
> Wireless users will be required to be authenticated to
a RADIUS server
> (freeradius)
>=20
> before being allowed to be connected to the wireless
network.=20
> In order to
> connect
>=20
> to the internal network or to the Internet, wireless
users=20
> have to make an
> IPSec
>=20
> connection (via Cisco VPN client connection) to the
Cisco Pix=20
> firewall. At
> the
>=20
> moment, everything works great; however, I have a few
questions that
> hopefully
>=20
> someone in this group can help with answers.
>=20
> 1) I use EAP-TLS on freeradius server for
Authentication and=20
> Accounting
> because I
>=20
> know linux and freeradius is free (as the name
implies). I=20
> don't want to
> use stinking
>=20
> Cisco ACS because it requires either Windows and
Solaris=20
> which I don't like
>=20
> because my freeradius server is running a Pentium
90Mhz=20
> /128MB of RAM just
> fine.
>=20
> I want to spend the company wisely especially in this=20
> economy. From what I=20
>=20
> understand, EAP-TLS is open standard while LEAP is
Cisco proprietary
> solution and
>=20
> LEAP is vulvernable to "man in the middle attack"
while=20
> EAP-TLS is not.
>=20
> Now I am under pressure from upper-management to
migrate from=20
> EAP-TLS on=20
>=20
> Freeradius over to Cisco LEAP (upper management
decision). The idiot
> executive's
>=20
> reason is that LEAP is more secure than EAP-TLS and
they=20
> already have money=20
>=20
> allocated for the project. Because of this, I'll have
to migrate from
> EAP-TLS over
>=20
> to LEAP. Therefore, my question is that anybody using
LEAP=20
> and are you
> happy
>=20
> with it?
>=20
> 2) At the moment, my wireless network has about 10
users so=20
> running IPSec=20
>=20
> (3DES) on top of EAP-TLS is not so bad. However, I am
going=20
> to roll out
> this
>=20
> project for about 200 users which I know the
performance will=20
> suffer. Has
> anyone
>=20
> done IPSec over EAP-TLS for a network with 200+ users
and=20
> what kind of=20
>=20
> performance issues do you have?
>=20
> I don't want to use Cisco ACS product because it is
expensive=20
> and it sucks
> big
>=20
> time; however, sometime you just have to swallow your
losses=20
> and move on.
>=20
> Thanks.
>=20
> Mike
=09
=09
_____ =20
Do you Yahoo!?
HotJobs
- Search
new jobs daily now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56945&t=56934
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
