Wireless LAN Security Wireless LAN Security FrameworkFramework

Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos

TLS LEAP TTLS PEAPMD5

VPN

EAP

PPP802.3 802.5 802.11

802.1x

EAP API

NDIS API

IEEE 802.1X IEEE 802.1X authenticationauthentication

Performs authentication in a layer Performs authentication in a layer above the IEEE 802.11 MAC layerabove the IEEE 802.11 MAC layer

Removes all authentication Removes all authentication processing from the IEEE 802.11 processing from the IEEE 802.11 MACMAC

802.1X can use any EAP method 802.1X can use any EAP method installed on the client and AAA serverinstalled on the client and AAA server Methods in common use include TLS, Methods in common use include TLS,

Cisco LEAP (based on MS-CHAPv1), and Cisco LEAP (based on MS-CHAPv1), and Funk's Tunneled TTLS (TTLS)Funk's Tunneled TTLS (TTLS)

Common EAP MethodsCommon EAP Methods EAP-TLSEAP-TLS

TLS handshake is used to mutually TLS handshake is used to mutually authenticate a client and serverauthenticate a client and server

EAP-TTLS extends thisEAP-TTLS extends this Uses the secure connection established by Uses the secure connection established by

the TLS handshake to perform additional the TLS handshake to perform additional authenticationauthentication

PEAPPEAP Similar to EAP-TTLS but only allows EAP for Similar to EAP-TTLS but only allows EAP for

authenticationauthentication Also has key exchange, session resumption, Also has key exchange, session resumption,

fragmentation and reassemblyfragmentation and reassembly