trojan81
asked on
PEAP authentication
Experts,
Making sure I understand how this works. Please no links to "how peap works".
I consult for an organization that is using Cisco wireless LAN controllers with LWAPP access points.
Upon looking at the Intel wireless client software configuration i can see that:
They are using PEAP authentication and are configured to validate server certificate.
The server certificate is: peap.xyz.com
It is signed by Verisign.
The Trusted Root CA on the client is checked with VeriSIGN
My question is:
1) After the client verifies the server certificate and there is a trust, does the client then send his PC logged in credentials to the radius server for authentication?
2) If I take a non company issued computer and add the Verisign trusted root ca and configure it to connect to peap.xyz.com, will I then get prompted for user credentials to get on the wireless network?
Making sure I understand how this works. Please no links to "how peap works".
I consult for an organization that is using Cisco wireless LAN controllers with LWAPP access points.
Upon looking at the Intel wireless client software configuration i can see that:
They are using PEAP authentication and are configured to validate server certificate.
The server certificate is: peap.xyz.com
It is signed by Verisign.
The Trusted Root CA on the client is checked with VeriSIGN
My question is:
1) After the client verifies the server certificate and there is a trust, does the client then send his PC logged in credentials to the radius server for authentication?
2) If I take a non company issued computer and add the Verisign trusted root ca and configure it to connect to peap.xyz.com, will I then get prompted for user credentials to get on the wireless network?
ASKER
Completely ignored my two questions. Next person please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jakob,
I forgot to mention they are doing Radius and using Computer Authentication. Does that mean after the TLS tunnel is built, the PC will then pass the NTLM credentials to the Radius server?
The certificate enrolled on the client that you are referring to, would that be the Root CA that signed the peap cert that is on the radius server?
I forgot to mention they are doing Radius and using Computer Authentication. Does that mean after the TLS tunnel is built, the PC will then pass the NTLM credentials to the Radius server?
The certificate enrolled on the client that you are referring to, would that be the Root CA that signed the peap cert that is on the radius server?
Yes
For certificate - i mean computer certificate, an unique certficiate for each device, used for authentication
For certificate - i mean computer certificate, an unique certficiate for each device, used for authentication
ASKER
JAkob, They don't issue a unique certificate to each computer. The computer's are all imaged the same way. How do you think it works if each PC does not have a unique certificate?
then they're using PEAP-MsChapV2
So computer username and PW are exchanged within the PEAP tunnel
So computer username and PW are exchanged within the PEAP tunnel
Cisco Systems, Microsoft and RSA Security are promoting PEAP as an Internet standard. Currently in draft status, the protocol is gaining support and is expected to displace Cisco's proprietary Lightweight Extensible Authentication Protocol (LEAP).
PEAP addresses the shortcomings of 802.11 security, shared key authentication being chief among these. Weaknesses in 802.11 Wired Equivalent Privacy (WEP) allow an attacker to capture encrypted frames and analyze them to determine the encryption key. (In this system, the same shared key is used for both authentication and encryption.) With the shared key, the attacker can decrypt frames or pose as a legitimate user.
Microsoft explanation:
https://msdn.microsoft.com/en-us/library/cc754179(v=ws.11).aspx
Wikipedia Explanation:
https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol