Configuring AAA for Network Users 415
Nortel WLAN Security Switch 2300 Series Configuration Guide
IEEE 802.1X Extensible Authentication Protocol Types
Extensible Authentication Protocol (EAP) is a generic point-to-point protocol that supports multiple authenti-
cation mechanisms. EAP has been adopted as a standard by the Institute of Electrical and Electronic Engineers
(IEEE). IEEE 802.1X is an encapsulated form for carrying authentication messages in a standard message
exchange between a user (client) and an authenticator.
Table 28 on page 415 summarizes the EAP protocols (also called types or methods) supported by WSS
Software.
Table 28: EAP Authentication Protocols for Local Processing
EAP Type Description Use Considerations
EAP-MD5
(EAP with Message
Digest Algorithm 5)
Authentication algorithm
that uses a
challenge-response
mechanism to compare
hashes
Wired authentication only1
1. EAP-MD5 does not work with Microsoft wired authentication clients.
This protocol
provides no
encryption or key
establishment.
EAP-TLS
(EAP with Transport
Layer Security)
Protocol that provides
mutual authentication,
integrity-protected
encryption algorithm
negotiation, and key
exchange. EAP-TLS
provides encryption and data
integrity checking for the
connection.
Wireless and wired
authentication.
All authentication is
processed on the WSS
switch.
This protocol
requires X.509
public key
certificates on both
sides of the
connection.
PEAP-MS-
CHAP-V2
(Protected EAP with
Microsoft Challenge
Handshake
Authentication
Protocol version 2)
The wireless client
authenticates the server
(either the WSS switch or a
RADIUS server) using TLS
to set up an encrypted
session. Mutual
authentication is performed
by MS-CHAP-V2.
Wireless and wired
authentication:
• The PEAP portion is
processed on the WSS
switch.
• The MS-CHAP-V2
portion is processed on
the RADIUS server or
locally, depending on the
configuration.
Only the server side
of the connection
requires a certificate.
The client needs
only a username and
password.
