EAP

WEP

■ A lack of mutual authentication makes WEP vulnerable to rogue access points.

■ Usage of static keys makes WEP vulnerable to dictionary attacks.

■ Even with use of initialization vector (IV), attackers can deduct WEP keys by capturing

enough data.

■ Configuring clients with the static WEP keys is nonscalable.

LEAP

■ Following are the benefits of LEAP over the basic 802.11 (WEP):

■ Server-based authentication (leveraging 802.1x) using passwords, one-time tokens,

public key infrastructure (PKI) certificates, or machine IDs

■ Usage of dynamic WEP keys (also called session keys) through reauthenticating the user

periodically and negotiating a new WEP key each time (Cisco Key Integrity Protocol or

CKIP)

■ Mutual authentication between the wireless client and the RADIUS server

■ Usage of Cisco Message Integrity Check (CMIC) to protect against inductive WEP

attacks and replays

WPA

■ Authenticated key management—WPA performs authentication using either IEEE 802.1x

or preshared key (PSK) prior to the key management phase.

■ Unicast and broadcast key management—After successful user authentication, message

integrity and encryption keys are derived, distributed, validated, and stored on the client and

the AP

■ Utilization of TKIP and MIC—Temporal Key Integrity Protocol (TKIP) and Message

Integrity Check (MIC) are both elements of the WPA standard and they secure a system

against WEP vulnerabilities such as intrusive attacks.

■ Initialization vector space expansion—WPA provides per-packet keying (PPK) via

initialization vector (IV) hashing and broadcast key rotation. The IV is expanded from 24 bits

(as in 802.11 WEP) to 48 bits.

WPA2

■ AES

■ more CPU-intensive than WPA mostly because of the usage of AES

EAP-FAST

■ Supports Windows single sign-on for Cisco Aironet clients and Cisco-compatible clients

■ Does not use certificates or require Public Key Infrastructure (PKI) support on client

devices

■ Provides for a seamless migration from Cisco LEAP

■ Provides full support for 802.11i, 802.1x, TKIP, and AES

■ Supports password expiration or change (Microsoft password change)

■ EAP-TLS uses the Transport Layer Security (TLS) protocol.

■ EAP-TLS uses Public Key Infrastructure (PKI).

■ EAP-TLS is one of the original EAP authentication methods, and it is used in many

environments.

■ The supported clients for EAP-TLS include Microsoft Windows 2000, XP, and CE, plus

non-Windows platforms with third-party supplicants, such as Meetinghouse.

■ One of the advantages of Cisco and Microsoft implementation of EAP-TLS is that it is

possible to tie the Microsoft credentials of the user to the certificate of that user in a

Microsoft database, which permits a single logon to a Microsoft domain.

PEAP

■ PEAP was developed by Cisco Systems, Microsoft, and RSA Security to the IETF.

■ With PEAP, only the server authentication is performed using PKI certificate.

■ PEAP works in two phases. In Phase 1, server-side authentication is performed and an

encrypted tunnel (TLS) is created. In Phase 2, the client is authenticated using either EAP-

GTC or EAP-MSCHAPv2 within the TLS tunnel.

■ PEAP-MSCHAPv2 supports single sign-on, but Cisco PEAP-GTC supplicant does not

support single logon