* Avoiding off-line dictionary attacks without certificates Cisco is taking strides to mollify customers for whom neither password-based nor certificate-based Extensible Authentication Protocol types are quite the right fit for authenticating wireless users.The company recently submitted an informational draft to the Internet Engineering Task Force (IETF) for a new 802.1X EAP type called EAP-Flexible Authentication via Secure Tunneling (EAP-FAST). Cisco intends to support EAP-FAST in its products this month.Chris Bolinger, manager of product marketing in Cisco’s wireless networking business unit, hastens to note that Cisco is “not sitting around trying to think up new EAP types” – of which there are already a dizzying number.Rather, he says, the proposal has a specific purpose. It aims to create an authentication algorithm that is a hybrid between password-based EAP types like Cisco LEAP, which do not use encrypted tunnels for authentication handshaking, and certificate-based EAP types like Microsoft Protected EAP (PEAP). Certificate-based EAP types do use encrypted authentication tunnels but are more complex to deploy and manage. Cisco LEAP is vulnerable to offline dictionary attacks when strong passwords are not used. LEAP’s vulnerabilities were demonstrated at a couple of trade shows last year. Any password-based authentication algorithm that, like LEAP, uses the Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is similarly vulnerable. During offline attacks, an intruder captures the MS-CHAP challenge-response messages exchanged between user and access network. Then, the attacker tries to match these messages against those in a pre-computed dictionary to gain authentication and network access.For some organizations, it’s too difficult for users to remember the strong passwords that must be used (and rotated often) to avoid offline dictionary attacks. Yet some enterprises aren’t comfortable with having to build a certificate authority and deploy certificates to client devices for protection.EAP-FAST is an alternative that combines passwords with encrypted tunnels but with no certificates required, Bolinger says.“We can’t estimate what percentage of the wireless LAN population will want to use it,” he says. “But it’s not a ‘Cisco thing.’ EAP-FAST can run over any 802.1X-capable access point.” Related content news Broadcom to lay off over 1,200 VMware employees as deal closes The closing of VMware’s $69 billion acquisition by Broadcom will lead to layoffs, with 1,267 VMware workers set to lose their jobs at the start of the new year. By Jon Gold Dec 01, 2023 3 mins Technology Industry Mergers and Acquisitions news analysis Cisco joins $10M funding round for Aviz Networks' enterprise SONiC drive Investment news follows a partnership between the vendors aimed at delivering an enterprise-grade SONiC offering for customers interested in the open-source network operating system. By Michael Cooney Dec 01, 2023 3 mins Network Management Software Network Management Software Network Management Software news Cisco CCNA and AWS cloud networking rank among highest paying IT certifications Cloud expertise and security know-how remain critical in building today’s networks, and these skills pay top dollar, according to Skillsoft’s annual ranking of the most valuable IT certifications. Demand for talent continues to outweigh s By Denise Dubie Nov 30, 2023 7 mins Certifications Certifications Certifications news Mainframe modernization gets a boost from Kyndryl, AWS collaboration Kyndryl and AWS have expanded their partnership to help enterprise customers simplify and accelerate their mainframe modernization initiatives. By Michael Cooney Nov 30, 2023 4 mins Mainframes Cloud Computing Data Center Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe