Appendix B: Wireless Technology
137
MVP-5200i Modero® ViewPoint® Touch Panel with Intercom - Instruction Manual
EAP Characteristics
The following table outlines the differences among the various EAP Methods from most secure (at the top of the list) to the least
secure (at the bottom of the list):
EAP Communication Overview
EAP Authentication goes a step beyond just encrypting data transfers, but also requires that a set of credentials be validated before
the client (panel) is allowed to connect to the rest of the network (FIG. 89). Below is a description of this process. It is important to
note that no user intervention is necessary during this process. It proceeds automatically based on the configuration parameters
entered into the panel.
1.
The client (panel) establishes a wireless connection with the AP specified by the SSID.
2.
The AP opens up a tunnel between itself and the RADIUS server configured via the access point. This tunnel means that
packets can flow between the panel and the RADIUS server but nowhere else.
The network is protected until authentication of
the client (panel) is complete and the ID of the client is verified.
3.
The AP (Authenticator) sends an "EAP-Request/Identity" message to the panel as soon as the wireless connection becomes
active.
4.
The panel then sends a "EAP-Response/Identity" message through the AP to the RADIUS server providing its identity and
specifying which EAP type it wants to use. If the server does not support the EAP type, then it sends a failure message back to
the AP which will then disconnect the panel. As an example, EAP-FAST is only supported by the Cisco server.
5.
If the EAP type is supported, the server then sends a message back to the client (panel) indicating what information it needs.
This can be as simple as a username (
Identity
) and password or as complex as multiple CA certificates.
6.
The panel then responds with the requested information. If everything matches, and the panel provides the proper credentials,
the RADIUS server then sends a success message to the access point instructing it to allow the panel to communicate with
other devices on the network. At this point, the AP completes the process for allowing LAN Access to the panel (possibly a
restricted access based on attributes that came back from the RADIUS server).
As an example, the AP might switch the panel to a particular VLAN or install a set of farewell rules.
EAP Method Characteristics
Method:
Credential Type:
Authentication:
Pros:
Cons:
EAP-TLS
• Certificates
Certificate is based on a two-way
authentication
Highest Security Difficult to deploy
EAP-TTLS • Certificates
• Fixed Passwords
• One-time passwords (tokens)
Client authentication is done via password
and certificates
Server authentication is done via certificates
High Security
Moderately difficult to
deploy
EAP-PEAP • Certificates
• Fixed Passwords
• One-time passwords (tokens)
Client authentication is done via password
and certificates
Server authentication is done via certificates
High Security
Moderately difficult to
deploy
EAP-LEAP • Certificates
• Fixed Passwords
• One-time passwords (tokens)
Authentication is based on MS-CHAP and
MS-CHAPv2 authentication protocols
Easy deployment Susceptible to dictionary
attacks
EAP-FAST • Certificates
• Fixed Passwords
• One-time passwords (tokens)
N/A
N/A
N/A
FIG. 89
EAP security method in process
Client - Panel
(Supplicant)
802.1x
(EAP Over Wireless)
Authenticator
(Access Point)
LAN
Authentication Server
(RADIUS Server)
