Solved

Understanding EAP methods

Posted on 2014-10-22
3
88 Views
Last Modified: 2015-05-21
Hello experts,

What is the difference between EAP-TLS and PEAP?

Long story short - we use certificates to authenticate wireless clients - they have to members of AD, and we use computer/machine certs/auth for this setup and it works great.

The EAP method we use here for Windows is PEAP with MSCHAPv2.

We recently added Apple macbooks to this mix, and it also works great, but only if we use EAP-TLS.
(When you look at the connection profile for the Mac, in Screenshot #1, you wont see EAP-TLS, instead you see "Smart Card or Other Cert" once I added that, the connection started working, and Apple OS X reports its using EAP-TLS
 
It took me awhile to figure it out, and I only got it working after I  added "Smart Card or other Certificate" in addition to PEAP for the EAP method on our Network Policy Server -

 screenshot # 1 ( We have a separate policy for Windows clients, see second screen shot)
SS1.pngscreenshot #2
SS2.png
How come I need this extra bit for the macs to get on the RADIUS with machine auth?

What is the major difference between these two methods?
0
Comment
Question by:cschmidt5
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
DarinTCH earned 500 total points
ID: 40398444
hum - where do I start
do you have an internal CA that issues certificates?

if not many tend to go PEAP and purchase  cert as needed- seems slightly simpler
- also MS recommends PEAP -http://technet.microsoft.com/library/bb726967

I also found that MAC seems to like TLS better

TLS demands cert on client and server sides  x.509 ONLY
 - PEAP client side cert is optional and can use other authentication mechanisms
TLS uses cert to secure communication(both ways) - PEAP has 2 channels of communication
TLS does not secure/protect client identity - PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering

i liked this reference for TLS vs PEAP
http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
0
 

Author Comment

by:cschmidt5
ID: 40400254
Thank you for your reply - I agree with the "Where do I start" that  is how I felt trying to phrase this question.

Also, my environment works, I am just trying to understand some more about it.

"do you have an internal CA that issues certificates?"
- Yes we do, it is a Microsoft CA, running on Server 2008.

Macs request their cert VIA RPC with a prebuilt config profile.  They must be bound to AD before this will work.

There is a caveat to the comment "PEAP does by securing the channel and using a TLS tunnel - BUT it is still PASSWORD and username - can be discovered and impacted with over the shoulder and social engineering"

Our Windows clients are using PEAP - however, no interactive log on action is required, as we are using machine auth - so AD/group policy handles the exchange of credentials - thus over the shoulder/social eng will not work.  When I say machine auth, PEAP is using the Active Directory computer account and it's password, generally unknown to people, and never typed.

I was initially trying to get my mac to work this way, using PEAP like windows, but in Mac land, they insist on specifying a username and PW ( in my case since the "User" is an active directory computer account, on the system knows the machines account PW)

Since I could not get the mac to use PEAP, I got TLS to work, only when I added "Smart card or other certificate" to the list of EAP methods in the connection request policy (see screenshots, I have a policy for windows clients and one for Mac)
0
 

Author Closing Comment

by:cschmidt5
ID: 40789705
While you did not directly answer my question, you helped me get the gears going a little better and I figured it all out.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now