Solved

Understanding EAP methods

Posted on 2014-10-22
3
95 Views
Last Modified: 2015-05-21
Hello experts,

What is the difference between EAP-TLS and PEAP?

Long story short - we use certificates to authenticate wireless clients - they have to members of AD, and we use computer/machine certs/auth for this setup and it works great.

The EAP method we use here for Windows is PEAP with MSCHAPv2.

We recently added Apple macbooks to this mix, and it also works great, but only if we use EAP-TLS.
(When you look at the connection profile for the Mac, in Screenshot #1, you wont see EAP-TLS, instead you see "Smart Card or Other Cert" once I added that, the connection started working, and Apple OS X reports its using EAP-TLS
 
It took me awhile to figure it out, and I only got it working after I  added "Smart Card or other Certificate" in addition to PEAP for the EAP method on our Network Policy Server -

 screenshot # 1 ( We have a separate policy for Windows clients, see second screen shot)
SS1.pngscreenshot #2
SS2.png
How come I need this extra bit for the macs to get on the RADIUS with machine auth?

What is the major difference between these two methods?
0
Comment
Question by:cschmidt5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
DarinTCH earned 500 total points
ID: 40398444
hum - where do I start
do you have an internal CA that issues certificates?

if not many tend to go PEAP and purchase  cert as needed- seems slightly simpler
- also MS recommends PEAP -http://technet.microsoft.com/library/bb726967

I also found that MAC seems to like TLS better

TLS demands cert on client and server sides  x.509 ONLY
 - PEAP client side cert is optional and can use other authentication mechanisms
TLS uses cert to secure communication(both ways) - PEAP has 2 channels of communication
TLS does not secure/protect client identity - PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering

i liked this reference for TLS vs PEAP
http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
0
 

Author Comment

by:cschmidt5
ID: 40400254
Thank you for your reply - I agree with the "Where do I start" that  is how I felt trying to phrase this question.

Also, my environment works, I am just trying to understand some more about it.

"do you have an internal CA that issues certificates?"
- Yes we do, it is a Microsoft CA, running on Server 2008.

Macs request their cert VIA RPC with a prebuilt config profile.  They must be bound to AD before this will work.

There is a caveat to the comment "PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering"

Our Windows clients are using PEAP - however, no interactive log on action is required, as we are using machine auth - so AD/group policy handles the exchange of credentials - thus over the shoulder/social eng will not work.  When I say machine auth, PEAP is using the Active Directory computer account and it's password, generally unknown to people, and never typed.

I was initially trying to get my mac to work this way, using PEAP like windows, but in Mac land, they insist on specifying a username and PW ( in my case since the "User" is an active directory computer account, on the system knows the machines account PW)

Since I could not get the mac to use PEAP, I got TLS to work, only when I added "Smart card or other certificate" to the list of EAP methods in the connection request policy (see screenshots, I have a policy for windows clients and one for Mac)
0
 

Author Closing Comment

by:cschmidt5
ID: 40789705
While you did not directly answer my question, you helped me get the gears going a little better and I figured it all out.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question