Re: PEAP-TLS vs EAP-TLS
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Jun 2006 11:27:57 -0500
EAP-TLS is the strongest but requires that the client user and computer both
have the proper certificates.
http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en
http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
Windows WIFI center
EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in
certificate-based security environments. If you are using smart cards for
remote access authentication, you must use the EAP-TLS authentication
method. The EAP-TLS exchange of messages provides mutual authentication,
integrity-protected cipher suite negotiation, and secured private key
exchange and determination between the access client and the authenticating
server. EAP-TLS provides the strongest authentication method. EAP-TLS is
described in RFC 2716.
I believe that PEAP-TLS is what you are referring to when mschapv2 is also
used for 802.1X. It does not require that the client user/computer use
certificates for authentication but that only the IAS server does to set up
the TLS secure channel.
I would forget using either for wired network but instead use ipsec with
guidance from the ipsec domain isolation guide as shown in the link below.
802.1X for wired networks only authenticates the computer to allow access to
a switch port but does nothing after that. Ipsec can make sure that the
computer to computer traffic is authenticated and also encrypted and checked
for integrity using ESP/AH. --- Steve
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
http://support.microsoft.com/?kbid=254949 --- important consideration for
ipsec deployment
"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C41CBEB3-CBD1-44B2-BF70-34D9A217CA66@xxxxxxxxxxxxxxxx
Hi all,
I'm a security newbie, but I've done some research, mostly Microsoft docs.
Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP v2, but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a PEAP-TLS
protocol
available, but it's not mentioned in the list of what's most secure.
I'm looking for a protocol that can be used for both wired/wireless
networks.
So, my questions are:
1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?
2) Is there a reason not to use PEAP-TLS?
3) Is PEAP-TLS more secure than EAP-TLS?
Thanks for any help,
Steve
.
- Follow-Ups:
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- Prev by Date: Re: interdomain access
- Next by Date: Re: PEAP-TLS vs EAP-TLS
- Previous by thread: interdomain access
- Next by thread: Re: PEAP-TLS vs EAP-TLS
- Index(es):
Relevant Pages
|
Loading
