***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-implementation/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Wireless Authentication Protocols``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Wireless Authentication Protocols](#a) <br/><br/>

- [Extensible Authentication Protocol](#b) <br/><br/>
    - [``EAP``](#b) <br/><br/>
- [``802.1X``](#c) <br/><br/>
    - [Network Access Control](#c) <br/><br/>
        - [``NAC``](#c) <br/><br/>
- [``802.1X and EAP``](#d) <br/><br/>
    - [Flexible Authentication via Secure Tunneling](#e) <br/><br/>
        - [``EAP-FAST``](#e) <br/><br/>
    - [Protected Extensible Authentication Protocol](#f) <br/><br/>
        - [``PEAP``](#f) <br/><br/>
    - [``EAP-TLS``](#g) <br/><br/>
        - [Transport Layer Security](#g) <br/><br/>
    - [``EAP-TTLS``](#h) <br/><br/>
        - [EAP Tunneled Transport Layer Security](#h) <br/><br/>
- [RADIUS Federation](#i) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Wireless Authentication Protocols
***

There are many different ways that you could authenticate to a wireless network, and we’ve used many of these different authentication methods on our different networks through the years.

The most common type of authentication someone would use is their username and password and it’s not unusual to add other types of authentication factors, along with the username and password.

Although we’ll sometimes use these authentication methods for wired networks, it’s very common to also see this on wireless networks. That’s mostly because wireless networks are sending and receiving into the air, and anyone who happens to be nearby with a wireless device could attempt to connect to that wireless network.

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Extensible Authentication Protocol - ``EAP``
***

Many of the types of authentication we’ll use for wireless networks are built on a standard framework called the Extensible Authentication Protocol (EAP) - there are many, many different types of authentication methods using EAP, and different manufacturers will use EAP in different ways.

In the ``Enterprise``, we commonly see EAP ``Authentication`` used in conjunction with ``802.1X``, so when you initially connect to the wireless network, you’ll be prompted for these authentication details, and the EAP framework will be used to provide that authentication confirmation behind the scenes.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### ``802.1X`` - Network Access Control - ``NAC``
***

802.1X is also referred to as port-based Network Access Control (NAC) - this means that if you’re trying to connect to the network, you don’t gain any access to this wired or wireless network, unless you’re providing the proper credentials using 802.1X.

This almost always is using some type of centralized authentication database on the back end. When you first connect to the wireless network, you’ll be prompted with the username and password, and 802.1X will check that username and password by communicating on the back end to one of these databases. Very commonly, we would use ``RADIUS``, or ``TACACS``, or ``LDAP`` to be able to have this centralized database of usernames and passwords.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### ``802.1X`` and ``EAP``
***

There are usually three different parts to this to 802.1X authentication - there is the ``Supplicant``, this is commonly the client that is connecting to the network - there’s the ``Authenticator``, this is the device that provides the access you need to the network and then there is this ``Centralized Authentication Server`` that is doing the validation of the username and password.

![image.png](attachment:image.png)

If you try to connect to this network for the first time from the Supplicant, the Authenticator will not provide you with any access, because you’ve not authenticated yet. 

![image.png](attachment:image.png)

The Authenticator will recognize that you’re trying to get access, and it will send an ``EAP-Request`` to the Supplicant, asking if you’d like to provide some type of authentication. 

![image.png](attachment:image.png)

The Supplicant sends a response to the Authenticator, saying yes, I’m trying to gain access to the network. 

![image.png](attachment:image.png)

The Authenticator then informs the authentication server that there’s a new person on the network who would like to authenticate.

![image.png](attachment:image.png)

The Authentication server then asks if the Supplicant is going to provide any login credentials. 

![image.png](attachment:image.png)

The Authenticator passes through that request to the Supplicant, saying, let’s provide some credentials.

![image.png](attachment:image.png)

Then the Supplicant provides username, password, and other types of authentication details.

![image.png](attachment:image.png)

The Authenticator sends that information to the Authentication Server that’s in the back end. Those credentials are checked.

![image.png](attachment:image.png)

If everything matches, a message is sent back to the authenticator that the process was successful, and that user can gain access to the network.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
***
###### Flexible Authentication via Secure Tunneling - ``EAP-FAST``
***

One way of securely providing this authentication process is through a method of EAP called EAP-FAST. 

FAST stands for Flexible Authentication via Secure Tunneling - this is a way to make sure that the Authentication Server (``AS``) and the supplicant, are able to transfer information between each other over a secure tunnel.

This is accomplished with a ``Shared Secret`` referred to as a ``Protected Access Credential`` (``PAC``). 

The supplicant receives the PAC and then sets up a ``Transport Layer Security Tunnel``.

This TLS tunnel is very similar to the TLS mechanism that’s used to encrypt information within a browser. 

Once this TLS tunnel is in place, everything sent across is encrypted, and then authentication details are sent over that TLS tunnel.

It’s common to see EAP-FAST used with a ``Centralized Authentication Server``, such as ``RADIUS``, where you can have both the authentication database and EAP-FAST services running on that RADIUS server.

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### Protected Extensible Authentication Protocol - ``PEAP``
***

Another form of an encrypted tunnel being used with EAP is called PEAP. 

That stands for a Protected Extensible Authentication Protocol, and it was created by Cisco, Microsoft, and RSA Security.

This is also using TLS to be able to send this information, but instead of it being based on a shared secret with the ``Protected Access Credential`` (``PAC``), we’re using the same method as a traditional web server by using a digital certificate - this digital certificate is only needed on the server - your clients do not need separate digital certificates to be able to use PEAP.

If you’re authenticating to a ``Microsoft Network``, then you’re probably combining ``PEAP with MS-CHAPv2`` - this is ``Microsoft’s Challenge Handshake Authentication Protocol``, and it commonly integrates with some of the Microsoft CHAP version 2 databases.

PEAP could also be used with a more generic authentication type using a ``Generic Token Card`` (``GTC``) and this can be used also with a hardware token generator to provide additional authentication.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### ``EAP-TLS`` - Transport Layer Security
***

A more secure form of EAP can be found with EAP-TLS. 

The TLS is Transport Layer Security, so we’re already performing a very strong encryption of data between our clients and our servers.

Unlike the previously described EAP implementations that did not need a digital certificate, or only needed a single digital certificate, EAP-TLS requires ``Digital Certificates`` on all devices - this is because we perform a mutual authentication when connecting to the network - once the mutual authentication is complete, a TLS tunnel is then built to send the user authentication details.

If you’ve ever managed a network where every device had its own digital certificate, you know this is not a trivial task - need a ``Public Key Infrastructure``, or a formal ``PKI``, so that you can properly, manage, deploy, and revoke any of these certificates that may be in use in your environment.

We also have to consider that some older devices may not allow for the use of digital certificates, and therefore, they would not be able to connect to the network and authenticate using EAP-TLS.

< [Table of Contents](#top) | [References](#references) >
<a id="h"></a>
***
###### ``EAP-TTLS`` - EAP Tunneled Transport Layer Security
***

Your environment may have an authentication protocol that’s not already supported by one of these other EAP types. 

In that case, you may want to run EAP-TTLS - this is a Tunneled Transport Layer Security, where you can tunnel other authentication protocols within the existing TLS tunnel.

Unlike EAP-TLS, EAP-TTLS only needs a single digital certificate on the authentication server - we don’t have to deploy separate digital certificates to all of these other devices on our network. 

Would use the digital certificate on the authentication server to be able to create and send information over this TLS tunnel.

Once this TLS tunnel is in place, we can then send other authentication protocols across that tunnel - this might be other types of EAP, it could be Microsoft’s CHAP version 2, or any other type Authentication Protocol that we’d like to use.

< [Table of Contents](#top) | [References](#references) >
<a id="i"></a>
***
###### RADIUS Federation
***

Might also use EAP in conjunction with Federation. 

Federation is when you can link a user’s identity across multiple authentication systems - this is commonly used if you’re at a third-party location, and you would like to authenticate using credentials that were created for a different location.

RADIUS Federation commonly uses ``802.1X`` as the authentication method, so you’re using EAP to authenticate, and you’re very commonly authenticating to a RADIUS server on the back end.

A common implementation of RADIUS Federation can be found with eduroam - this was built so that educators who were visiting a different campus could use their original username and password to be able to authenticate, regardless of what campus they may travel to.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK