Capwap Mailing List: Re: Certificates, Discovery Request/Reply, and validation.

[Alper Yegin (alper]

>         Phase2:
>                 Mutual Authentication with Selected ARs (try out all ARs)
>                 Here, we can use EAP method.
>                 If EAP-TLS, EAP-TTLS or EAP-PEAP is used, then session key
>                    can be generated for ciphering and per-packet
> authentication.
>                 In case of EAP-MD5, static key can be used.

...

>         For phase2:
>               PANA seems to be defining physical/link layer independent
> authentication mechanism.
>               That might be suitable here. Comments?

In the current deployments the security between the AP and AR relies on
physical measures. As I understand, we don't want to make this assumption in
here. In that case, yes, PANA can be used for authentication and
authorization between the APs and ARs. By using an appropriate EAP method
(e.g., EAP-TLS) cryptographic keys can be produced that are used to
establish a protected channel between AP and AR. This ensures all the
signaling and data traffic is secured.

Alper