Re: PEAP-TLS vs EAP-TLS



Steve,

Take a look at "Securing Wireless LANs with Certificate Services" solution:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en
It covers the deployment of PEAP with digital certificates (what you are
referring to as PEAP-TLS)

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/swlan.mspx?mfr=true also has some useful links that cover the topic.

I remember I was too having hard time digging the docs, but the moment you
know the title of what you are looking for, google is right on the nail ;)

Guy
--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il


"Steven L Umbach" wrote:

Whew. Thanks again.

My interest was piqued by this whole thread and I spent a bit of time
reading Microsoft documentation trying to get this whole thing clear in my
head. There is little reference and nothing I could find on deploying
PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally
referred to just as PEAP. For the benefit of the OP I would say that
PEAP-MSCAHPV2 can be very secure assuming best practices are being followed
for enforcing complex passwords and users take reasonable steps to protect
their passwords. Of course user certificate authentication used in PEAP-TLS
when properly configured will have an advantage over password authentication
in that an attacker could not authenticate as the user even knowing the
user's password if a user certificate was required though the attacker
certainly could do damage via a non wireless logon if that was possible.
Using smart cards and requring their use for logon would mitigate password
risk in any case. Reading back I think the origianl confusion was about PEAP
being more secure than EAP for wireless which it is but when compared to
EAP-TLS [not to be confused with EAP] they both use a secure channel to the
IAS server for user authentication. --- Steve


"Guy Teverovsky" <guyt@xxxxxxxxxxxxx> wrote in message
news:9D92E129-C39D-436B-9284-8DBE6571097F@xxxxxxxxxxxxxxxx
and did not know that PEAP-TLS requires a computer certificate
also on the client computer.

Maybe I was not quite clear. When using PEAP (either MSCHAPv2 or digital
certs/smart card) you have a choice to authenticate either as user account
(the user logged on) or as computer (you authenticate the computer and let
any user logged on to use the link).
When using PEAP-MSCHAPv2 the only certificate required on the client is
the
certificate chain of the CA that issued the RADIUS server certificate - no
client certificate is required.

When using PEAP-TLS, and authenticating as user, the user account needs to
have a client certificate (the computer does not).
When authenticating as computer, the computer needs to have a client
certificate (the user does not).

Guy
--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il


"Steven L Umbach" wrote:

Thanks for clarifying that. I was under the impression that PEAP-TLS was
using PEAP and that the user authenticated with smart card or user
certificate and did not know that PEAP-TLS requires a computer
certificate
also on the client computer. --- Steve


"Guy Teverovsky" <guyt@xxxxxxxxxxxxx> wrote in message
news:901426F1-1C12-47FC-BAEB-A38922F10F76@xxxxxxxxxxxxxxxx
Steve, there two versions of PEAP. In general, PEAP uses TLS for server
authentication and tunnels another authentication protocol inside the
TLS
session.
PEAP-MS-CHAPv2 uses TLS for server authentication (Radius server
requires
a
cert) and user/password pair for client authentication.
What you reffer as PEAP-TLS in Microsoft documentation is reffered as
"PEAP
with digital certificates" and it uses certs for BOTH server and client
authentication, while another TLS session (client authentication) is
tunneled
in side original TLS session used for server (RADIUS) authentication.

In fact PEAP with digital certificates is very similar to EAP-TLS from
the
security and usability point of view. The major difference is the fact
that
when using PEAP with digital certificates for user authentication you
can
use
some Microsoft specific extensions/features.

--
Smith & Wesson - the original point and click interface
http://guy.netguru.co.il


"Steven L Umbach" wrote:

In my opinion that part of the article is wrong and I believe it is
referring to EAP-TLS when it talks about certificates for BOTH user
and
computer. TLS is used when the user uses MSCHAPV2 for authentication
which
is why the IAS server needs a certificate so that the wireless client
can
set up the secure TLS tunnel before the user authenticates. The
article
in
the link below may shed some light on the subject. I believe that PEAP
can
be referred to as both PEAP-TLS and PEAP-MSCHAPV2 though if the user
uses
PEAP and a user certificate/smart card instead of user credentials
then
MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. You
will
see that when you configure 802.1x on a computer as you go to the
adapters
network properties/authentication and select PEAP and then go to
properties
select authentication method there are two choices - secured password
(EAP-MSCHAPV2) or smart card or other certificate. --- Steve

http://www.microsoft.com/technet/itsolutions/network/wifi/peap.mspx

"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:310B6CA6-7E0B-4C4A-8D70-4A3CDFE27F49@xxxxxxxxxxxxxxxx
Thanks for your reply, Steve.

Here's a snip from
http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:

"Protected EAP (PEAP) is an authentication method that uses TLS to
enhance
the security of other EAP authentication methods. PEAP for Microsoft
802.1X
Authentication Client provides support for TLS (PEAP-TLS), which
uses
certificates for both server authentication and client
authentication;
and
Microsoft Challenge Handshake Authentication Protocol version 2
(PEAP-MS-CHAP
v2), which uses certificates for server authentication and
password-based
credentials for client authentication."

I think this means that there's a PEAP-TLS that's separate from
EAP-TLS
and
PEAP-MS-CHAP v2, but there seems to be very little (or none)
discussion
about
the benefits of PEAP-TLS relative to EAP-TLS.

Steve

"Steven L Umbach" wrote:

I forgot to answer one of your questions. Since EAP-TLS requires
that
computer and user have certificates then you can also control what
computers
can access your wireless network - those that have computer
certificates.
You can't do that with PEAP-TLS if that is a concern. The user only
needs
credentials to access the wireless network and to trust the
certificate
on
the IAS server. --- Steve


"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:ejOJsYYiGHA.3848@xxxxxxxxxxxxxxxxxxxxxxx
EAP-TLS is the strongest but requires that the client user and
computer
both have the proper certificates.

http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en




ww.microsoft.com/technet/itsolutions/network/wifi/default.mspx
---
Windows WIFI center

EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is
used
in
certificate-based security environments. If you are using smart
cards
for
remote access authentication, you must use the EAP-TLS
authentication
method. The EAP-TLS exchange of messages provides mutual
authentication,
integrity-protected cipher suite negotiation, and secured private
key
exchange and determination between the access client and the
authenticating server. EAP-TLS provides the strongest
authentication
method. EAP-TLS is described in RFC 2716.

I believe that PEAP-TLS is what you are referring to when
mschapv2
is
also
used for 802.1X. It does not require that the client
user/computer
use
certificates for authentication but that only the IAS server does
to
set
up the TLS secure channel.

I would forget using either for wired network but instead use
ipsec
with
guidance from the ipsec domain isolation guide as shown in the
link
below.
802.1X for wired networks only authenticates the computer to
allow
access
to a switch port but does nothing after that. Ipsec can make sure
that
the
computer to computer traffic is authenticated and also encrypted
and
checked for integrity using ESP/AH. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

http://support.microsoft.com/?kbid=254949 --- important
consideration
for
ipsec deployment


"mobilemobile" <mobilemobile@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:C41CBEB3-CBD1-44B2-BF70-34D9A217CA66@xxxxxxxxxxxxxxxx
Hi all,

I'm a security newbie, but I've done some research, mostly
Microsoft
docs.

Most of the docs say that EAP-TLS is more secure than
PEAP-MS-CHAP
v2,
but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a
PEAP-TLS
protocol
available, but it's not mentioned in the list of what's most
secure.

I'm looking for a protocol that can be used for both
wired/wireless
networks.

So, my questions are:

1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?

2) Is there a reason not to use PEAP-TLS?

3) Is PEAP-TLS more secure than EAP-TLS?

Thanks for any help,
Steve














.



Relevant Pages

  • Re: PEAP-TLS vs EAP-TLS
    ... and PEAP is that PEAP is a two-step process where 1) the RADIUS server is ... authenticated to the client via the RADIUS server's certificate, ... encrypted TLS channel is set up for 2) client authentication (either using ... But I wonder how much more secure PEAP-TLS is than EAP-TLS, ...
    (microsoft.public.windows.server.security)
  • RE: PEAP based 802.1x LAN authentication
    ... Authentication, EAP Methods. ... Do you have PEAP added here? ... edit and make sure the certificate that you want to use is selected. ... the server certificate is now stored in "Personal " ...
    (Focus-Microsoft)
  • Re: PEAP-TLS vs EAP-TLS
    ... -- IEEE 802.11 Wireless LAN Security with Microsoft Windows), ... in the PEAP-MS-CHAP v2 Authentication section: ... PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally ... Of course user certificate authentication used in PEAP-TLS ...
    (microsoft.public.windows.server.security)
  • Re: PEAP-TLS vs EAP-TLS
    ... Of course user certificate authentication used in PEAP-TLS ... When using PEAP-MSCHAPv2 the only certificate required on the client is ...
    (microsoft.public.windows.server.security)
  • Re: eap-tls and peap-tls
    ... when selecting properties of peap under the authentication tab in ... server certificate when connecting. ... "configure" option of the authentication method which is selected from ... machine and user certificates (using peap-tls) does the IAS server ...
    (microsoft.public.internet.radius)