Introduction to AAA Server
RADIUS Overview
Chapter 16
mechanisms. This flexibility also allows EAP to be implemented in a way (LEAP, for example)
that is more suitable for wireless and mobile environments than other authentication
protocols. EAP allows authentication to take place directly between the user and server
without the intervention by the access device that occurs with CHAP.
The following is a list of the EAP supported authentication methods you can use with the
HP-UX AAA Server A.06.01:
• Transport Layer Security (TLS): Uses TLS (also known as SSL) to authenticate the
client using its digital certificate. Note: some wireless supplicants require specific
extensions to support certificates for EAP. TLS features include: Dynamic Key Exchange;
Mutual Authentication; Digital Certificate/Token Card-based Authentication; and,
Encrypted Tunnelling.
• Tunneled TLS (TTLS): Can carry additional EAP or legacy authentication methods like
PAP, MS-CHAP, and CHAP. Integrates with the widest variety of password storage
formats and existing password-based authentication systems. Wireless supplicants
available for a large number of clients. TTLS features include: Dynamic Key Exchange;
Mutual Authentication; Password-based Authentication; and, Encrypted Tunnelling.
• Protected EAP (PEAP): Functionally very similar to TTLS, but does not encapsulate
legacy authentication methods. PEAP features include: Dynamic Key Exchange; Mutual
Authentication; and, Encrypted Tunnelling.
• Message Digest 5 (MD5): Passwords are hashed using the MD5 algorithm. Can be
deployed for protecting access to LAN switches where the authentication traffic will not
be transmitted over airwaves. Can also be safely deployed for wireless authentication
inside EAP tunnel methods. The main feature in MD5 is Password-based Authentication.
• Lightweight EAP (LEAP): For Legacy Cisco equipment only. LEAP features include:
Dynamic Key Exchange; Mutual Authentication; and, Password-based Authentication.
• Generic Token Card (GTC): Carries user specific token cards for authentication. The
main feature in GTC is Digital Certificate/Token Card-based Authentication.
• EAP MS-CHAP: Passwords are hashed using a Microsoft algorithm. Can be deployed for
protecting access to LAN switches where the authentication traffic will not be transmitted
over airwaves. Can also be safely deployed for wireless authentication inside EAP tunnel
methods. EAP-MSCHAP features include Mutual Authentication and Password-based
Authentication.
RADIUS Data Packets
The Access-Request and other RADIUS data packets contain a header and a set of
attribute-value (A-V) pairs, which are used by the server during the AAA transaction. The
RADIUS RFC 2865 defines how vendors can extend the protocol. Encapsulation is the RFC