|
Posted by Steven L Umbach on June 6, 2006, 7:20 pm
Please log in for more thread options In my opinion that part of the article is wrong and I believe it is
referring to EAP-TLS when it talks about certificates for BOTH user and
computer. TLS is used when the user uses MSCHAPV2 for authentication which
is why the IAS server needs a certificate so that the wireless client can
set up the secure TLS tunnel before the user authenticates. The article in
the link below may shed some light on the subject. I believe that PEAP can
be referred to as both PEAP-TLS and PEAP-MSCHAPV2 though if the user uses
PEAP and a user certificate/smart card instead of user credentials then
MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. You will
see that when you configure 802.1x on a computer as you go to the adapters
network properties/authentication and select PEAP and then go to properties
select authentication method there are two choices - secured password
(EAP-MSCHAPV2) or smart card or other certificate. --- Steve
http://www.microsoft.com/technet/itsolutions/network/wifi/peap.mspx
> Thanks for your reply, Steve.
>
> Here's a snip from
> http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:
>
> "Protected EAP (PEAP) is an authentication method that uses TLS to enhance
> the security of other EAP authentication methods. PEAP for Microsoft
> 802.1X
> Authentication Client provides support for TLS (PEAP-TLS), which uses
> certificates for both server authentication and client authentication; and
> Microsoft Challenge Handshake Authentication Protocol version 2
> (PEAP-MS-CHAP
> v2), which uses certificates for server authentication and password-based
> credentials for client authentication."
>
> I think this means that there's a PEAP-TLS that's separate from EAP-TLS
> and
> PEAP-MS-CHAP v2, but there seems to be very little (or none) discussion
> about
> the benefits of PEAP-TLS relative to EAP-TLS.
>
> Steve
>
> "Steven L Umbach" wrote:
>
>> I forgot to answer one of your questions. Since EAP-TLS requires that
>> computer and user have certificates then you can also control what
>> computers
>> can access your wireless network - those that have computer certificates.
>> You can't do that with PEAP-TLS if that is a concern. The user only needs
>> credentials to access the wireless network and to trust the certificate
>> on
>> the IAS server. --- Steve
>>
>>
>> > EAP-TLS is the strongest but requires that the client user and computer
>> > both have the proper certificates.
>> >
>> > http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en
>> >
>> >
>> > ://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
>> > Windows WIFI center
>> >
>> > EAP-TLS Authentication
>> > EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in
>> > certificate-based security environments. If you are using smart cards
>> > for
>> > remote access authentication, you must use the EAP-TLS authentication
>> > method. The EAP-TLS exchange of messages provides mutual
>> > authentication,
>> > integrity-protected cipher suite negotiation, and secured private key
>> > exchange and determination between the access client and the
>> > authenticating server. EAP-TLS provides the strongest authentication
>> > method. EAP-TLS is described in RFC 2716.
>> >
>> > I believe that PEAP-TLS is what you are referring to when mschapv2 is
>> > also
>> > used for 802.1X. It does not require that the client user/computer use
>> > certificates for authentication but that only the IAS server does to
>> > set
>> > up the TLS secure channel.
>> >
>> > I would forget using either for wired network but instead use ipsec
>> > with
>> > guidance from the ipsec domain isolation guide as shown in the link
>> > below.
>> > 802.1X for wired networks only authenticates the computer to allow
>> > access
>> > to a switch port but does nothing after that. Ipsec can make sure that
>> > the
>> > computer to computer traffic is authenticated and also encrypted and
>> > checked for integrity using ESP/AH. --- Steve
>> >
>> > http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
>> >
>> > for
>> > ipsec deployment
>> >
>> >
>> > message
>> >> Hi all,
>> >>
>> >> I'm a security newbie, but I've done some research, mostly Microsoft
>> >> docs.
>> >>
>> >> Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP v2,
>> >> but
>> >> then say that PEAP is more secure than EAP because under EAP the
>> >> authentication process is not encrypted. I see there is a PEAP-TLS
>> >> protocol
>> >> available, but it's not mentioned in the list of what's most secure.
>> >>
>> >> I'm looking for a protocol that can be used for both wired/wireless
>> >> networks.
>> >>
>> >> So, my questions are:
>> >>
>> >> 1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?
>> >>
>> >> 2) Is there a reason not to use PEAP-TLS?
>> >>
>> >> 3) Is PEAP-TLS more secure than EAP-TLS?
>> >>
>> >> Thanks for any help,
>> >> Steve
>> >
>> >
>>
>>
>>
| 
XML Sitemap