Understanding EAP methods

Hello experts,

What is the difference between EAP-TLS and PEAP?

Long story short - we use certificates to authenticate wireless clients - they have to members of AD, and we use computer/machine certs/auth for this setup and it works great.

The EAP method we use here for Windows is PEAP with MSCHAPv2.

We recently added Apple macbooks to this mix, and it also works great, but only if we use EAP-TLS.
(When you look at the connection profile for the Mac, in Screenshot #1, you wont see EAP-TLS, instead you see "Smart Card or Other Cert" once I added that, the connection started working, and Apple OS X reports its using EAP-TLS
 
It took me awhile to figure it out, and I only got it working after I  added "Smart Card or other Certificate" in addition to PEAP for the EAP method on our Network Policy Server -

 screenshot # 1 ( We have a separate policy for Windows clients, see second screen shot)
SS1.pngscreenshot #2
SS2.png
How come I need this extra bit for the macs to get on the RADIUS with machine auth?

What is the major difference between these two methods?
cschmidt5Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DarinTCHSenior CyberSecurity EngineerCommented:
hum - where do I start
do you have an internal CA that issues certificates?

if not many tend to go PEAP and purchase  cert as needed- seems slightly simpler
- also MS recommends PEAP -http://technet.microsoft.com/library/bb726967

I also found that MAC seems to like TLS better

TLS demands cert on client and server sides  x.509 ONLY
 - PEAP client side cert is optional and can use other authentication mechanisms
TLS uses cert to secure communication(both ways) - PEAP has 2 channels of communication
TLS does not secure/protect client identity - PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering

i liked this reference for TLS vs PEAP
http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cschmidt5Author Commented:
Thank you for your reply - I agree with the "Where do I start" that  is how I felt trying to phrase this question.

Also, my environment works, I am just trying to understand some more about it.

"do you have an internal CA that issues certificates?"
- Yes we do, it is a Microsoft CA, running on Server 2008.

Macs request their cert VIA RPC with a prebuilt config profile.  They must be bound to AD before this will work.

There is a caveat to the comment "PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering"

Our Windows clients are using PEAP - however, no interactive log on action is required, as we are using machine auth - so AD/group policy handles the exchange of credentials - thus over the shoulder/social eng will not work.  When I say machine auth, PEAP is using the Active Directory computer account and it's password, generally unknown to people, and never typed.

I was initially trying to get my mac to work this way, using PEAP like windows, but in Mac land, they insist on specifying a username and PW ( in my case since the "User" is an active directory computer account, on the system knows the machines account PW)

Since I could not get the mac to use PEAP, I got TLS to work, only when I added "Smart card or other certificate" to the list of EAP methods in the connection request policy (see screenshots, I have a policy for windows clients and one for Mac)
0
cschmidt5Author Commented:
While you did not directly answer my question, you helped me get the gears going a little better and I figured it all out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.