PEAP and EAP

Hi,

Does any one have some good resources on learning about using EAP and its sub protocols? I have a project that going to involve multiple devices authenticating to wireless and radius servers proxying the request to each other, and I want to increase me knowledge of authentication methods.

I am really interested in what information the supplicant can send when it tries to authenticate in the authentication packet. so really looking for more information in to the flexibility of how the authentication process runs. And what can be achieved in terms of thinks like having a single user log on from multiply devices but receiving different access from the information sent during authentication, ideally tieing in to AD. one thing I am bond by is the username on the request must be userid@realm so i want to work out a way to use other details in the request to determine access granted.

This is an area very much all i have done before is ticked the eap type on each end and let it work

, if any one has a good introduction in to the workings of it all I would be really greatful.

Cheers

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

SecurityThroughObscurity

http://bit.ly/16uFqKZ

NightShade1

Ill explain you how it works i have deploy tons of this....
Basically you got these devices

1-The client =suplicant
2-The AP
3-The wireless controller = Authenticator
4-Radius server(NPS of windows) or could be Aruba clearpass for example = Authentication Server

EAP PEAP basically use user and password for authentication
But its a 2 way authentication.

The server authenticate the user connecting via user and password in the domain
The client authenticate the server via a certificate.

So basically you need a certificate from a internal CA on your radius server(a template with machine authentication works fine)
If you dont have a internal CA then you can buy a certificate from verisign , godaddy etc.

You need to install this certificate on the personal store.

Now in summary what basically happens when a client its authenticating via EAP PEAP
1-The client check if the server is a valid server with the correct certificate(for this you must configure the clients to correctly do this)
2-the Client(supplicant) send it user and password to the authenticator(Wireless controller)
3-The authenticator send that request to the authentication server
4-The authentication server look up in his rules to see if he is allowed to get in
5-If he is allow to get in then the server send a message to the authenticator that he is allowed to get it or its deny and the authenticator give it access or deny access.

Now the client check that the server is a valid server by the certificate and also with the server name(for this you need to correctly configure the clients) if you do not correctly configure it then it WONT check if he is sending their credentials to the real server, and not to a fake server.

Hope this helps you...
If you need something else or you did not understand something reply to my message

DevilWAH

Hi,

OK let me explain a bit more as I get the basics of the authentication method

I strike up a relation ship with another company and we agree that if our users cross sites, then we will both have the same SSID and any requests will be proxies by our radius servers to back to the home site to be authenticated. and assuming that they pass then the visited site will grant them internet access (think of BT open zone)

One of the requirements is that all the institutes that are signed up to this only deal with the outer identity of the request when it is in the form below otehr wise they drop the request.

username@relm.com

What I want to find out about is if I have two devices on my site, and the same user logs on to both of them. Bearing in mind that the identity must be in the same format as above for both devices. How can I get my authenticating servers to differentiate between the two so I can assign them to different networks.

I am thinking I have a laptop and a phone, One is company owned and one a personal device. When they connect to the SSID at my site I want to be able to differentiate between them, but I still want them to meet the username requirement so when they visit another site the requests will get proxies back correctly to me.

I am happy to run multiply profiles for the same SSID so for example a Laptop first tries with a non standard naming format and if that does not work try a second. But I was wondering what can be held in the inner tunnel. How could I set up the laptops to have a profile that the BYOD devices can't copy that allows me to tell the difference?

Cheers

MentholMoose

Microsoft has some good documents on this.

Download Securing Wireless LANs with PEAP and Passwords from Official Microsoft Download Center

Of course the implementation procedures will be specific to Windows Server and Active Directory, but it also includes comprehensive theory and background information. Once you understand how it all works with one back-end, it is much easier to use others. My first PEAP deployment used Windows Server, but I've since been able to translate that knowledge to FreeRADIUS as well.

docrice

I drew up a diagram some years back which might help a bit to understand the process:

http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png

DevilWAH

Hi cheers for the pointers.

What I ended up doing is making institute owned devices authentic using EAP-TLS, which can be controlled as we have to dish out the client side certificates. While the users own devices used PEAP-MSCHAPv2 which they can set up them selves.

then its simple for me NPS server to differentiate based on authentication type. I know there are better ways to manage it but this is simple and gets the job done.