Re: PEAP-TLS vs EAP-TLS

Steve, there two versions of PEAP. In general, PEAP uses TLS for server
authentication and tunnels another authentication protocol inside the TLS
session.
PEAP-MS-CHAPv2 uses TLS for server authentication (Radius server requires a
cert) and user/password pair for client authentication.
What you reffer as PEAP-TLS in Microsoft documentation is reffered as "PEAP
with digital certificates" and it uses certs for BOTH server and client
authentication, while another TLS session (client authentication) is tunneled
in side original TLS session used for server (RADIUS) authentication.

In fact PEAP with digital certificates is very similar to EAP-TLS from the
security and usability point of view. The major difference is the fact that
when using PEAP with digital certificates for user authentication you can use
some Microsoft specific extensions/features.

--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il


"Steven L Umbach" wrote:

In my opinion that part of the article is wrong and I believe it is
referring to EAP-TLS when it talks about certificates for BOTH user and
computer. TLS is used when the user uses MSCHAPV2 for authentication which
is why the IAS server needs a certificate so that the wireless client can
set up the secure TLS tunnel before the user authenticates. The article in
the link below may shed some light on the subject. I believe that PEAP can
be referred to as both PEAP-TLS and PEAP-MSCHAPV2 though if the user uses
PEAP and a user certificate/smart card instead of user credentials then
MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. You will
see that when you configure 802.1x on a computer as you go to the adapters
network properties/authentication and select PEAP and then go to properties
select authentication method there are two choices - secured password
(EAP-MSCHAPV2) or smart card or other certificate. --- Steve

http://www.microsoft.com/technet/itsolutions/network/wifi/peap.mspx

"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:310B6CA6-7E0B-4C4A-8D70-4A3CDFE27F49@xxxxxxxxxxxxxxxx
Thanks for your reply, Steve.

Here's a snip from
http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:

"Protected EAP (PEAP) is an authentication method that uses TLS to enhance
the security of other EAP authentication methods. PEAP for Microsoft
802.1X
Authentication Client provides support for TLS (PEAP-TLS), which uses
certificates for both server authentication and client authentication; and
Microsoft Challenge Handshake Authentication Protocol version 2
(PEAP-MS-CHAP
v2), which uses certificates for server authentication and password-based
credentials for client authentication."

I think this means that there's a PEAP-TLS that's separate from EAP-TLS
and
PEAP-MS-CHAP v2, but there seems to be very little (or none) discussion
about
the benefits of PEAP-TLS relative to EAP-TLS.

Steve

"Steven L Umbach" wrote:

I forgot to answer one of your questions. Since EAP-TLS requires that
computer and user have certificates then you can also control what
computers
can access your wireless network - those that have computer certificates.
You can't do that with PEAP-TLS if that is a concern. The user only needs
credentials to access the wireless network and to trust the certificate
on
the IAS server. --- Steve


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ejOJsYYiGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
EAP-TLS is the strongest but requires that the client user and computer
both have the proper certificates.

http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en


://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
Windows WIFI center

EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in
certificate-based security environments. If you are using smart cards
for
remote access authentication, you must use the EAP-TLS authentication
method. The EAP-TLS exchange of messages provides mutual
authentication,
integrity-protected cipher suite negotiation, and secured private key
exchange and determination between the access client and the
authenticating server. EAP-TLS provides the strongest authentication
method. EAP-TLS is described in RFC 2716.

I believe that PEAP-TLS is what you are referring to when mschapv2 is
also
used for 802.1X. It does not require that the client user/computer use
certificates for authentication but that only the IAS server does to
set
up the TLS secure channel.

I would forget using either for wired network but instead use ipsec
with
guidance from the ipsec domain isolation guide as shown in the link
below.
802.1X for wired networks only authenticates the computer to allow
access
to a switch port but does nothing after that. Ipsec can make sure that
the
computer to computer traffic is authenticated and also encrypted and
checked for integrity using ESP/AH. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

http://support.microsoft.com/?kbid=254949 --- important consideration
for
ipsec deployment


"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:C41CBEB3-CBD1-44B2-BF70-34D9A217CA66@xxxxxxxxxxxxxxxx
Hi all,

I'm a security newbie, but I've done some research, mostly Microsoft
docs.

Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP v2,
but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a PEAP-TLS
protocol
available, but it's not mentioned in the list of what's most secure.

I'm looking for a protocol that can be used for both wired/wireless
networks.

So, my questions are:

1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?

2) Is there a reason not to use PEAP-TLS?

3) Is PEAP-TLS more secure than EAP-TLS?

Thanks for any help,
Steve








.

Relevant Pages

  • Re: [SLE] SMTP Auth howto for 8.2 Professional.
    ... > Can't remember for sure if I set up TLS first or if SASL worked before I ... > Just put the IP address of your test client in the mynetworks in main.cf ... mail server the same way as the gateway server ... I guess, seeing as how I haven't set up authentication up until now, I'm ...
    (SuSE)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Re: problems with RADIUS and PEAP witha WG302 WAP and a Dell laptop
    ... When you go into the remote access policy profile, on the Authentication ... checkboxes, like MS-CHAP v2, you are not configuring PEAP -- you are ... To configure PEAP, click on the "EAP Methods" button. ... the server is going to use by clicking Edit. ...
    (microsoft.public.internet.radius)
  • RE: PEAP based 802.1x LAN authentication
    ... Authentication, EAP Methods. ... Do you have PEAP added here? ... edit and make sure the certificate that you want to use is selected. ... the server certificate is now stored in "Personal " ...
    (Focus-Microsoft)