Re: PEAP-TLS vs EAP-TLS
- From: Guy Teverovsky <guyt@xxxxxxxxxxxxx>
- Date: Fri, 9 Jun 2006 22:02:01 -0700
and did not know that PEAP-TLS requires a computer certificate
also on the client computer.
Maybe I was not quite clear. When using PEAP (either MSCHAPv2 or digital
certs/smart card) you have a choice to authenticate either as user account
(the user logged on) or as computer (you authenticate the computer and let
any user logged on to use the link).
When using PEAP-MSCHAPv2 the only certificate required on the client is the
certificate chain of the CA that issued the RADIUS server certificate - no
client certificate is required.
When using PEAP-TLS, and authenticating as user, the user account needs to
have a client certificate (the computer does not).
When authenticating as computer, the computer needs to have a client
certificate (the user does not).
Guy
--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il
"Steven L Umbach" wrote:
Thanks for clarifying that. I was under the impression that PEAP-TLS was.
using PEAP and that the user authenticated with smart card or user
certificate and did not know that PEAP-TLS requires a computer certificate
also on the client computer. --- Steve
"Guy Teverovsky" <guyt@xxxxxxxxxxxxx> wrote in message
news:901426F1-1C12-47FC-BAEB-A38922F10F76@xxxxxxxxxxxxxxxx
Steve, there two versions of PEAP. In general, PEAP uses TLS for server
authentication and tunnels another authentication protocol inside the TLS
session.
PEAP-MS-CHAPv2 uses TLS for server authentication (Radius server requires
a
cert) and user/password pair for client authentication.
What you reffer as PEAP-TLS in Microsoft documentation is reffered as
"PEAP
with digital certificates" and it uses certs for BOTH server and client
authentication, while another TLS session (client authentication) is
tunneled
in side original TLS session used for server (RADIUS) authentication.
In fact PEAP with digital certificates is very similar to EAP-TLS from the
security and usability point of view. The major difference is the fact
that
when using PEAP with digital certificates for user authentication you can
use
some Microsoft specific extensions/features.
--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il
"Steven L Umbach" wrote:
In my opinion that part of the article is wrong and I believe it is
referring to EAP-TLS when it talks about certificates for BOTH user and
computer. TLS is used when the user uses MSCHAPV2 for authentication
which
is why the IAS server needs a certificate so that the wireless client can
set up the secure TLS tunnel before the user authenticates. The article
in
the link below may shed some light on the subject. I believe that PEAP
can
be referred to as both PEAP-TLS and PEAP-MSCHAPV2 though if the user uses
PEAP and a user certificate/smart card instead of user credentials then
MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. You
will
see that when you configure 802.1x on a computer as you go to the
adapters
network properties/authentication and select PEAP and then go to
properties
select authentication method there are two choices - secured password
(EAP-MSCHAPV2) or smart card or other certificate. --- Steve
http://www.microsoft.com/technet/itsolutions/network/wifi/peap.mspx
"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:310B6CA6-7E0B-4C4A-8D70-4A3CDFE27F49@xxxxxxxxxxxxxxxx
Thanks for your reply, Steve.
Here's a snip from
http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:
"Protected EAP (PEAP) is an authentication method that uses TLS to
enhance
the security of other EAP authentication methods. PEAP for Microsoft
802.1X
Authentication Client provides support for TLS (PEAP-TLS), which uses
certificates for both server authentication and client authentication;
and
Microsoft Challenge Handshake Authentication Protocol version 2
(PEAP-MS-CHAP
v2), which uses certificates for server authentication and
password-based
credentials for client authentication."
I think this means that there's a PEAP-TLS that's separate from EAP-TLS
and
PEAP-MS-CHAP v2, but there seems to be very little (or none) discussion
about
the benefits of PEAP-TLS relative to EAP-TLS.
Steve
"Steven L Umbach" wrote:
I forgot to answer one of your questions. Since EAP-TLS requires that
computer and user have certificates then you can also control what
computers
can access your wireless network - those that have computer
certificates.
You can't do that with PEAP-TLS if that is a concern. The user only
needs
credentials to access the wireless network and to trust the
certificate
on
the IAS server. --- Steve
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ejOJsYYiGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
EAP-TLS is the strongest but requires that the client user and
computer
both have the proper certificates.
http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en
/www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
Windows WIFI center
EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used
in
certificate-based security environments. If you are using smart
cards
for
remote access authentication, you must use the EAP-TLS
authentication
method. The EAP-TLS exchange of messages provides mutual
authentication,
integrity-protected cipher suite negotiation, and secured private
key
exchange and determination between the access client and the
authenticating server. EAP-TLS provides the strongest authentication
method. EAP-TLS is described in RFC 2716.
I believe that PEAP-TLS is what you are referring to when mschapv2
is
also
used for 802.1X. It does not require that the client user/computer
use
certificates for authentication but that only the IAS server does to
set
up the TLS secure channel.
I would forget using either for wired network but instead use ipsec
with
guidance from the ipsec domain isolation guide as shown in the link
below.
802.1X for wired networks only authenticates the computer to allow
access
to a switch port but does nothing after that. Ipsec can make sure
that
the
computer to computer traffic is authenticated and also encrypted and
checked for integrity using ESP/AH. --- Steve
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
http://support.microsoft.com/?kbid=254949 --- important
consideration
for
ipsec deployment
"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:C41CBEB3-CBD1-44B2-BF70-34D9A217CA66@xxxxxxxxxxxxxxxx
Hi all,
I'm a security newbie, but I've done some research, mostly
Microsoft
docs.
Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP
v2,
but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a PEAP-TLS
protocol
available, but it's not mentioned in the list of what's most
secure.
I'm looking for a protocol that can be used for both wired/wireless
networks.
So, my questions are:
1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?
2) Is there a reason not to use PEAP-TLS?
3) Is PEAP-TLS more secure than EAP-TLS?
Thanks for any help,
Steve
- Follow-Ups:
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- References:
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- From: mobilemobile
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- From: Guy Teverovsky
- Re: PEAP-TLS vs EAP-TLS
- From: Steven L Umbach
- Re: PEAP-TLS vs EAP-TLS
- Prev by Date: Re: Question on passwords
- Next by Date: Re: PEAP-TLS vs EAP-TLS
- Previous by thread: Re: PEAP-TLS vs EAP-TLS
- Next by thread: Re: PEAP-TLS vs EAP-TLS
- Index(es):
Relevant Pages
|
