Wireless Authentication Protocols – CompTIA Security+ SY0-501 – 6.3

Gaining access to a wireless network may take a number of different paths. In this video, you’ll learn about the authentication protocols used to provide authentication to wireless networks.

<< Previous Video: Wireless Cryptographic Protocols Next: Wireless Security >>


We know that encrypting our data on a wireless network is important. But we also need a way to authenticate users to the wireless network. In this video, we’ll look at a number of different wireless authentication protocols.

EAP is a foundational authentication protocol. It stands for Extensible Authentication Protocol. And it’s more of a framework that can be used to create many different kinds of authentication. There are many RFC standards that use variance of EAP to describe how something can use a certain type of authentication. For example, WPA and WPA2 use five different EAP types as authentication mechanisms to those wireless networks.

One type is EAP-FAST. That stands for EAP Flexible Authentication via Secure Tunneling. Cisco created EAP-FAST as a way to replace the older LEAP protocol. LEAP was an authentication method used previously with wired equivalent privacy, which, of course, is no longer in use. That lightweight version of EAP was replaced with a new and secure version of EAP, which was EAP-FAST.

EAP-TLS is widely used. This is EAP over Transport Layer Security, which, of course, is a very common way to encrypt traffic to web servers. And now it’s a way to encrypt the authentication method. It provides very strong security and has support across many different wireless network types. Most of the industry provides an option for EAP-TLS, and you may be using this to provide authentication to your network.

If you use your own type of authentication methods, you can still use those using EAP by simply tunneling it inside of an EAP tunnel. This is EAP-TTLS, which is EAP Tunnel Transport Layer Security. You create a TLS tunnel, and then you’re able to send whatever type of authentication you like through that tunnel.

PEAP, or Protected EAP, is the Protected Extensible Authentication Protocol. It was created by Cisco, Microsoft, and RSA as a secure way of authenticating to your wireless network. PEAP encapsulates EAP into a secure tunnel. We have an encryption certificate on the server, and we send our EAP communication across that secure tunnel. You commonly see PEAP implemented as PEAPv0 or EAP-MSCHAPv2. This is authenticating to a Microsoft MS-CHAPv2 database, which is very common if you’re using a Microsoft Windows Network environment

One common structure for sending these authentication requests is using the IEEE 802.1X. This is port-based network access control, which means you don’t get access to the wireless network until you complete the authentication process. We commonly use 802.1X with one of those previously named authentication methods, and we are usually accessing a centralized database. That might be RADIUS, LDAP, TACACS+, or some other centralized form of name services.

There are usually three devices that are communicating with 802.1X. We have our workstation, which is called the supplicant. We have the switch, or the wireless access point that we’re communicating to, which is the authenticator. And then there may be a separate authentication server, or it may be built into the switch or the device that we’re communicating with.

The first thing we need is access to the network. But because we have not authenticated, the authenticator is not going to allow us any communication. The authenticator will see that we are trying to communicate over the network, and it will send a request asking if this is a new authentication. And this is usually sent as an EAP request.

After seeing that request, we respond back with an EAP response saying, yes, we need access to the network, and here is our username. The authenticator checks him with the authentication server to check the username. And if the username is valid, the authentication server will ask if the end user can speak privately with the authentication server.

The authenticator then sends that request down to the supplicant, and the supplicant sends the authentication credentials to the authenticator, who then passes that information through to the authentication server. If those access credentials are correct, the authentication server sends a message to the authenticator that says, now this device can gain access to the network.

You can take this authentication method and take it one step further with federation. You can use this federation to allow someone who is a member of one organization to authenticate to the network that may be located with another organization. And they would use their normal credentials. You would not need a separate set of credentials when you went to visit a separate network.

It uses 802.1X as the authentication method. We have a RADIUS database on the back end, and we’re using EAP as the authentication method. The driver behind RADIUS Federation is eduroam, which is education roaming. If educators are visiting a campus at a different university, they would still be able to use their home credentials to gain access to this third-party network.