PEAP provides a TLS channel for EAP protocol such as EAP-MS-CHAP (Microsoft Challenge Handshake Authentication protocol)
To Enhance both EAP protocols and Network security, PEAP provides the below
1. A TLS channel during client and server EAP method negotiation. The TLS channel helps to prevent an attacker from injecting packets between the client and network access server to cause the negotiation of a less secure EAP type. The encrypted channel also prevents to have the denial of service attack to occur.
2. Support for fragmentation and reassembly of messages which is by default not available in EAP types those don't have this facility
3. Protection against deployment of unauthorised access point at the moment when the EAP client authenticates the certificate provided by the server. In addition, the TLS master secret created between the client and the server is not shared with the Access point, because of this access point cannot decrypt the message flowing through the access point.
4. PEAP allows fast reconnect, especially useful when doing WiFi roaming. With fast reconnect, the delay incurred in the authentication with the RaADIUS server or similar backend is avoided when moving between access points that are configured as RADIUS clients to the same RADIUS backend server. This is achieved because fast reconnect doesn't require authentication in such a scenario.
PEAP authentication has mainly two steps:
1. Establishment of secure TLS channel
2. on the secure channel, do the EAP authenticated communication
Below are the steps in creating the secure TLS channel
1. The PEAP client associates to a wireless access point that is a client to a RADIUS server. An IEEE 802.11 association gives an open system or shared authentication before a secure association is made between client and wireless access point
2. After the associatoin is done, a TLS session is established between the client and the access point, a TLS session is negotiated.
3. After the computer level authentication is successfully completed between the PEAP client and the RADIUS server, a TLS session is negotiated between them. The key that is derived during this negotiation is used to encrypt all subsequent communication.
References:
http://technet.microsoft.com/library/cc754179.aspx
http://stackoverflow.com/questions/12503057/profiles-installed-by-mdm-service-are-showing-as-not-verified-after-upgrading
https://www.youtube.com/watch?v=pPfwemHBblk
To Enhance both EAP protocols and Network security, PEAP provides the below
1. A TLS channel during client and server EAP method negotiation. The TLS channel helps to prevent an attacker from injecting packets between the client and network access server to cause the negotiation of a less secure EAP type. The encrypted channel also prevents to have the denial of service attack to occur.
2. Support for fragmentation and reassembly of messages which is by default not available in EAP types those don't have this facility
3. Protection against deployment of unauthorised access point at the moment when the EAP client authenticates the certificate provided by the server. In addition, the TLS master secret created between the client and the server is not shared with the Access point, because of this access point cannot decrypt the message flowing through the access point.
4. PEAP allows fast reconnect, especially useful when doing WiFi roaming. With fast reconnect, the delay incurred in the authentication with the RaADIUS server or similar backend is avoided when moving between access points that are configured as RADIUS clients to the same RADIUS backend server. This is achieved because fast reconnect doesn't require authentication in such a scenario.
PEAP authentication has mainly two steps:
1. Establishment of secure TLS channel
2. on the secure channel, do the EAP authenticated communication
Below are the steps in creating the secure TLS channel
1. The PEAP client associates to a wireless access point that is a client to a RADIUS server. An IEEE 802.11 association gives an open system or shared authentication before a secure association is made between client and wireless access point
2. After the associatoin is done, a TLS session is established between the client and the access point, a TLS session is negotiated.
3. After the computer level authentication is successfully completed between the PEAP client and the RADIUS server, a TLS session is negotiated between them. The key that is derived during this negotiation is used to encrypt all subsequent communication.
References:
http://technet.microsoft.com/library/cc754179.aspx
http://stackoverflow.com/questions/12503057/profiles-installed-by-mdm-service-are-showing-as-not-verified-after-upgrading
https://www.youtube.com/watch?v=pPfwemHBblk
No comments:
Post a Comment