Moxa ioLogik 2542-T [85/88] Iologik 2500 series wireless lan network setup and configuration for wireless lan models

ioLogik 2500 Series Wireless LAN Network Setup and Configuration (for wireless LAN models)

7-6

EAP-TLS

TLS is the standards-based successor to Secure Socket Layer (SSL). It can establish a trusted

communication channel over a distrusted network. TLS provides mutual authentication through certificate

exchange. EAP-TLS is also secure to use. You are required to submit a digital certificate to the

authentication server for validation, but the authentication server must also supply a certificate.

EAP Protocol

Setting Description Factory Default

TLS Specifies Transport Layer Security protocol TLS

TTLS Specifies Tunneled Transport Layer Security

PEAP Specifies Protected Extensible Authentication Protocol, or

Protected EAP

EAP-TTLS

It is usually much easier to re-use existing authentication systems, such as a Windows domain or Active

Directory, LDAP directory, or Kerberos realm, rather than creating a parallel authentication system. As a

result, TTLS (Tunneled TLS) and PEAP (Protected EAP) are used to support the use of so-called “legacy

authentication methods.” TTLS and PEAP work in a similar way. First, they establish a TLS tunnel (EAP-TLS

for example), and validate whether the network is trustworthy with digital certificates on the authentication

server. This step establishes a tunnel that protects the next step (or “inner” authentication), and

consequently is sometimes referred to as “outer” authentication. The TLS tunnel is then used to encrypt an

older authentication protocol that authenticates the user for the network.

As you can see, digital certificates are still needed for outer authentication in a simplified form. Only a small

number of certificates are required, which can be generated by a small certificate authority. Certificate

reduction makes TTLS and PEAP much more popular than EAP-TLS.

The ioLogik 2500-WL1 provides some non-cryptographic EAP methods, including PAP, CHAP, MS-CHAP,

and MS-CHAP-V2. These EAP methods are not recommended for direct use on wireless networks. However,

they may be useful as inner authentication methods with TTLS and PEAP.

Because the inner and outer authentications can use distinct user names in TTLS and PEAP, you can use an

anonymous user name for the outer authentication, with the true user name only shown through the

encrypted channel. Keep in mind that not all client software supports anonymous alteration. Confirm this

with the network administrator before you enable identity hiding in TTLS and PEAP.

TTL Inner Authentication

Setting Description Factory Default

PAP Password Authentication Protocol is used MS-CHAP-V2

CHAP Challenge Handshake Authentication Protocol is used

MS-CHAP Microsoft CHAP is used

MS-CHAP-V2 Microsoft CHAP version 2 is used

Anonymous

Setting Description Factory Default

Max. of 31 characters A distinct name used for outer authentication None

User name & Password

Setting Description Factory Default

User name and password used in inner authentication None