ZyXEL Communications PLA-470 V2 - V3.0.5 Instalační příručka stáhnout pdf (Strana 101)

Apart from encryption, EAP-TLS has the same characteristics as TLS but these

are encapsulated into EAP packets.

•

EAP-TTLS. EAP-TTLS (tunneled TLS) is a Funk Software solution based on

the use of two tunnels; the first one is used for authentication purposes by

EAP-TLS and the second one to secure transmissions with an authentication

method left to the choice of the manufacturers (EAP-MD5, PAP, CHAP, and

so forth).

•

PEAP. Protected EAP is a solution proposed by Microsoft, RSA, and Cisco

Systems. Like EAP-TTLS, PEAP is based on two tunnels but the two tunnels

use EAP-TLS as the authentication method.

•

LEAP. Lightweight EAP, which is proposed by Cisco, corresponds to a light-

weight version of the preceding solutions but with the same functionalities,

mutual authentication between the client and the server, and dynamic man-

agement of the keys.

Although these solutions are based on a mutual authentication between the cli-

ent and the server, sometimes with an additional authentication method for secured

data transport, these are not flawless. The MIN (man in the middle) attack makes it

possible, for example, for an attacker placed between the client and the server, i.e.,

in the middle, to recover the messages and hijack the identity of a client to authenti-

cate himself in his place.

To conclude, 802.1x is a solution used to improve the security of PLC networks

by adding to the management of NEK securing the physical frames on the electrical

network.

RADIUS (Remote Authentication Dial-in User Server)

RADIUS is a centralized user authentication and authorization protocol. Originally

designed for remote access, it is currently used in many environments, such as VPN

and Wi-Fi access points, and has become a IETF standard (RFC 2865).

Situated above level 4 in the OSI architecture, it uses the UDP transport protocol

for obvious reasons fastness and is based on a client-server architecture.

As illustrated in Figure 4.14, the client sends server connection attributes. The

authentication between the server and the client is done by means of a shared secret,

which generally consists of a key and of the client attributes. For authentication pur-

poses, the server sends a challenge to the client that can only be solved by the shared

secret. It checks the attributes sent by the client and the response to the challenge and

accepts the client if they are correct.

IEEE 802.1x in PLC

EAPoL (EAP over LAN) is the EAP version used within the framework of Ethernet

and Wi-Fi local area networks like PLC. It appears as an Ethernet encapsulation

viewed from the link between the client terminal and the RADIUS server.

The exchange of EAPoL messages for the authentication of a station to an access

point is illustrated in Figure 4.15.

82 Security

1 2 ... 96 97 98 99 100 101 102 103 104 105 106 ... 348 349

Komentáře k této Příručce

Žádné komentáře

ZyXEL Communications PLA-470 V2 - V3.0.5 Instalační příručka Strana 101

Komentáře k této Příručce