Link to home
Start Free TrialLog in
Avatar of Cole Schmidt
Cole SchmidtFlag for United States of America

asked on

Understanding EAP methods

Hello experts,

What is the difference between EAP-TLS and PEAP?

Long story short - we use certificates to authenticate wireless clients - they have to members of AD, and we use computer/machine certs/auth for this setup and it works great.

The EAP method we use here for Windows is PEAP with MSCHAPv2.

We recently added Apple macbooks to this mix, and it also works great, but only if we use EAP-TLS.
(When you look at the connection profile for the Mac, in Screenshot #1, you wont see EAP-TLS, instead you see "Smart Card or Other Cert" once I added that, the connection started working, and Apple OS X reports its using EAP-TLS
 
It took me awhile to figure it out, and I only got it working after I  added "Smart Card or other Certificate" in addition to PEAP for the EAP method on our Network Policy Server -

 screenshot # 1 ( We have a separate policy for Windows clients, see second screen shot)
User generated imagescreenshot #2
User generated image
How come I need this extra bit for the macs to get on the RADIUS with machine auth?

What is the major difference between these two methods?
ASKER CERTIFIED SOLUTION
Avatar of DarinTCH
DarinTCH
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Cole Schmidt

ASKER

Thank you for your reply - I agree with the "Where do I start" that  is how I felt trying to phrase this question.

Also, my environment works, I am just trying to understand some more about it.

"do you have an internal CA that issues certificates?"
- Yes we do, it is a Microsoft CA, running on Server 2008.

Macs request their cert VIA RPC with a prebuilt config profile.  They must be bound to AD before this will work.

There is a caveat to the comment "PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering"

Our Windows clients are using PEAP - however, no interactive log on action is required, as we are using machine auth - so AD/group policy handles the exchange of credentials - thus over the shoulder/social eng will not work.  When I say machine auth, PEAP is using the Active Directory computer account and it's password, generally unknown to people, and never typed.

I was initially trying to get my mac to work this way, using PEAP like windows, but in Mac land, they insist on specifying a username and PW ( in my case since the "User" is an active directory computer account, on the system knows the machines account PW)

Since I could not get the mac to use PEAP, I got TLS to work, only when I added "Smart card or other certificate" to the list of EAP methods in the connection request policy (see screenshots, I have a policy for windows clients and one for Mac)
While you did not directly answer my question, you helped me get the gears going a little better and I figured it all out.