Re: PEAP-TLS vs EAP-TLS

---

• From: mobilemobile <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 6 Jun 2006 12:51:01 -0700

---

Thanks for your reply, Steve.

Here's a snip from
http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:

"Protected EAP (PEAP) is an authentication method that uses TLS to enhance
the security of other EAP authentication methods. PEAP for Microsoft 802.1X
Authentication Client provides support for TLS (PEAP-TLS), which uses
certificates for both server authentication and client authentication; and
Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP
v2), which uses certificates for server authentication and password-based
credentials for client authentication."

I think this means that there's a PEAP-TLS that's separate from EAP-TLS and
PEAP-MS-CHAP v2, but there seems to be very little (or none) discussion about
the benefits of PEAP-TLS relative to EAP-TLS.

Steve

"Steven L Umbach" wrote:

I forgot to answer one of your questions. Since EAP-TLS requires that
computer and user have certificates then you can also control what computers
can access your wireless network - those that have computer certificates.
You can't do that with PEAP-TLS if that is a concern. The user only needs
credentials to access the wireless network and to trust the certificate on
the IAS server. --- Steve


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ejOJsYYiGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx

EAP-TLS is the strongest but requires that the client user and computer
both have the proper certificates.

http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en

tp://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
Windows WIFI center

EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in
certificate-based security environments. If you are using smart cards for
remote access authentication, you must use the EAP-TLS authentication
method. The EAP-TLS exchange of messages provides mutual authentication,
integrity-protected cipher suite negotiation, and secured private key
exchange and determination between the access client and the
authenticating server. EAP-TLS provides the strongest authentication
method. EAP-TLS is described in RFC 2716.

I believe that PEAP-TLS is what you are referring to when mschapv2 is also
used for 802.1X. It does not require that the client user/computer use
certificates for authentication but that only the IAS server does to set
up the TLS secure channel.

I would forget using either for wired network but instead use ipsec with
guidance from the ipsec domain isolation guide as shown in the link below.
802.1X for wired networks only authenticates the computer to allow access
to a switch port but does nothing after that. Ipsec can make sure that the
computer to computer traffic is authenticated and also encrypted and
checked for integrity using ESP/AH. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

http://support.microsoft.com/?kbid=254949 --- important consideration for
ipsec deployment


"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C41CBEB3-CBD1-44B2-BF70-34D9A217CA66@xxxxxxxxxxxxxxxx

Hi all,

I'm a security newbie, but I've done some research, mostly Microsoft
docs.

Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP v2,
but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a PEAP-TLS
protocol
available, but it's not mentioned in the list of what's most secure.

I'm looking for a protocol that can be used for both wired/wireless
networks.

So, my questions are:

1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?

2) Is there a reason not to use PEAP-TLS?

3) Is PEAP-TLS more secure than EAP-TLS?

Thanks for any help,
Steve

.

---

• Follow-Ups:
  • Re: PEAP-TLS vs EAP-TLS
    • From: Steven L Umbach

• References:
  • Re: PEAP-TLS vs EAP-TLS
    • From: Steven L Umbach
  • Re: PEAP-TLS vs EAP-TLS
    • From: Steven L Umbach

• Prev by Date: pwdump2
• Next by Date: Re: pwdump2
• Previous by thread: Re: PEAP-TLS vs EAP-TLS
• Next by thread: Re: PEAP-TLS vs EAP-TLS
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: PEAP-TLS vs EAP-TLS ... MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. ... select authentication method there are two choices - secured password ... certificates for both server authentication and client authentication; ... I think this means that there's a PEAP-TLS that's separate from EAP-TLS ... (microsoft.public.windows.server.security) Re: PEAP-TLS vs EAP-TLS ... Yes there could be a concern if an authentication method like MSCHAPV2 was ... used without TLS. ... However with EAP-TLS certificates are used ... EAP with EAP-TLS. ... (microsoft.public.windows.server.security) Re: EAP VPN PPC 2003 ... >> to get the VPN client configured to use that certificate in EAP ... PPC2003 supports PEAP and EAP-TLS. ... point authentication, and not VPN authentication via RADIUS (utilizing the ... (microsoft.public.pocketpc.wireless) Re: PEAP-TLS vs EAP-TLS ... EAP-TLS Authentication ... certificate-based security environments. ... remote access authentication, you must use the EAP-TLS authentication ... the TLS secure channel. ... (microsoft.public.windows.server.security) Re: PEAP-TLS vs EAP-TLS ... The documentation is correct in the order of being most secure though most ... confusing here is that EAP and EAP-TLS are not the same. ... does not allow authentication to be done in clear text. ... Take a look at "Securing Wireless LANs with Certificate Services" ... (microsoft.public.windows.server.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-06