Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

W O R K S H O P

The New Face of Authentication

May 15, 2003
By By Dilip Advani

>> continued from previous page

The Alphabet Soup of Authentication

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Wirelessness
	The Alphabet Soup of Authentication

If you're taking the leap into 802.1x authentication, beware: The options can be overwhelming. There's LEAP, PEAP, TLS and TTLS, among others. So which protocol does what?

LEAP is Cisco's proprietary version of EAP (Extensible Authentication Protocol), and it uses strong challenge-password hash exchange instead of digital certificates. But Cisco has hedged its bets and joined forces with Microsoft and RSA Security to develop PEAP (Protected EAP), best known for helping prevent an attacker from injecting his or her own data or capturing clear-text user information for future attacks during the 802.1x EAP authentication process.

PEAP works in two steps. After the initial handshake between the client and access point, a TLS (Transport Layer Security) channel is created between the client and authentication server. All messages get encrypted, and the RADIUS server then authenticates the client using an EAP method--EAP-TLS or EAP-MS-CHAP (Challenge Handshake Authentication Protocol) v2.

With TTLS (Tunneled Transport Layer Security), a TLS tunnel is established and the client authentication parameters get exchanged. TLS has existed longer than TTLS, but its usage has waned because it requires extra certificates on each client.

TTLS and PEAP are similar in concept, but there are important differences: TTLS supports other EAP authentication methods and also PAP, CHAP, MS-CHAP and MS-CHAPv2, whereas PEAP can tunnel only EAP-type protocols such as EAP-TLS, EAP-MS-CHAPv2 and EAP-SIM. TTLS requires installation of client software, whereas PEAP comes ready to run in XP Service Pack 1 on the client device, for instance. TTLS is widely available and implemented, while PEAP is still new. But given PEAP's backing from Cisco, Microsoft and RSA, it's likely to emerge as the de facto authentication mechanism for 802.1x.