Using EAP with VoiceConsole

This section provides additional details on implementing EAP within VoiceConsole.

What is EAP?

EAP is Extensible Authentication Protocol.

  • EAP is a framework that defines message formatting for authentication data such as user/password or certificate information.
  • Each EAP type message format is different.
  • EAP is not encryption. WPA and WPA2 are the encryption standards that are adopted by EAP for authentication.

What EAP types are supported?

Five types of EAP are supported.

  • EAP-TLS: EAP-Transport Layer Security
  • EAP-TTLS/MSCHAPv2: EAP-Tunneled Transport Layer Security/Microsoft Challenge Handshake Authentication Protocol
  • PEAPv0/EAP-MSCHAPv2: Protected Extensible Authentication Protocol/Microsoft Challenge Handshake Authentication Protocol
  • PEAPv1/EAP-GTC: Protected Extensible Authentication Protocol/Generic Token Card
  • LEAP: Lightweight Extensible Authentication Protocol

The EAP configuration wizard prompts for necessary entrees for each type of EAP.

What Association Types are Supported?

An association type must be selected in the EAP configuration wizard. The types are:

  • Site: All devices loaded with EAP profiles use the same credentials. These credentials are entered in the EAP configuration wizard. LDAP is not required.
  • Device: Each device loaded with an EAP profile must have credentials entered for the device. LDAP is not required. See Change Device Credentials
  • Operator: A device loaded with an EAP profile must load an operator for which credentials have been entered. LDAP is required. See Change Operator Credentials.

How Does it all Work?

VoiceConsole sends credentials to the Device

  • VoiceConsole gives devices the credentials needed to authenticate on the EAP network.
  • The credentials are provided in different ways depending on the EAP type used:
    • Profile loading (RF or serial, restricted user credentials for all association types).
    • Changing site-wide user credentials (site based)
    • Changing the restricted user credentials (all association types)
    • Changing device credentials (device based)
    • Loading an operator (operator based)

VoiceConsole Validates Credentials

  • If LDAP is enabled, VoiceConsole validates the credentials against the LDAP server specified in the EAP configuration wizard.
  • If LDAP is disabled, credentials are not validated through VoiceConsole.

How a Device Authenticates

  1. If LDAP is enabled, VoiceConsole validates the credentials entered into the user interface against LDAP.
  2. VoiceConsole sends the credentials to the device via an RF or serial load of the profile, a change of credentials in the VoiceConsole user interface, or an operator load.
  3. The device changes credentials.
  4. The device then attempts to connect to the EAP network through SSID specified in the EP profile. The SSID is configured to forward the request to the Cisco ACS or RADIUS server (for example).
  5. The RADIUS server checks to see which LDAP server the user is to be authenticated against (not applicable to TTLS).
  6. The request is forwarded to the LDAP server.
  7. Once the device's credentials are validated by either LDAP or the RADIUS server, the device shows as authenticated with the AP.