mobilemobilejwyr&

Hi all,

I'm a security newbie, but I've done some research, mostly Microsoft docs.

Most of the docs say that EAP-TLS is more secure than PEAP-MS-CHAP v2, but
then say that PEAP is more secure than EAP because under EAP the
authentication process is not encrypted. I see there is a PEAP-TLS protocol
available, but it's not mentioned in the list of what's most secure.

I'm looking for a protocol that can be used for both wired/wireless networks.

So, my questions are:

1) Is EAP-TLS really more secure than PEAP-MS-CHAP v2?

2) Is there a reason not to use PEAP-TLS?

3) Is PEAP-TLS more secure than EAP-TLS?

Thanks for any help,
Steve

steven l umbach

EAP-TLS is the strongest but requires that the client user and computer both
have the proper certificates.

http://www.microsoft.com/downloads/details.aspx?FamilyID=67fdeb48-74ec-4ee8-a650-334bb8ec38a9&displaylang=en
http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx ---
Windows WIFI center

EAP-TLS Authentication
EAP-Transport Layer Security (EAP-TLS) is an EAP type that is used in
certificate-based security environments. If you are using smart cards for
remote access authentication, you must use the EAP-TLS authentication
method. The EAP-TLS exchange of messages provides mutual authentication,
integrity-protected cipher suite negotiation, and secured private key
exchange and determination between the access client and the authenticating
server. EAP-TLS provides the strongest authentication method. EAP-TLS is
described in RFC 2716.

I believe that PEAP-TLS is what you are referring to when mschapv2 is also
used for 802.1X. It does not require that the client user/computer use
certificates for authentication but that only the IAS server does to set up
the TLS secure channel.

I would forget using either for wired network but instead use ipsec with
guidance from the ipsec domain isolation guide as shown in the link below.
802.1X for wired networks only authenticates the computer to allow access to
a switch port but does nothing after that. Ipsec can make sure that the
computer to computer traffic is authenticated and also encrypted and checked
for integrity using ESP/AH. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

http://support.microsoft.com/?kbid=254949 --- important consideration for
ipsec deployment

steven l umbach

I forgot to answer one of your questions. Since EAP-TLS requires that
computer and user have certificates then you can also control what computers
can access your wireless network - those that have computer certificates.
You can't do that with PEAP-TLS if that is a concern. The user only needs
credentials to access the wireless network and to trust the certificate on
the IAS server. --- Steve

mobilemobilejwyr&

Thanks for your reply, Steve.

Here's a snip from
http://www.microsoft.com/technet/community/columns/cableguy/cg1202.mspx:

"Protected EAP (PEAP) is an authentication method that uses TLS to enhance
the security of other EAP authentication methods. PEAP for Microsoft 802.1X
Authentication Client provides support for TLS (PEAP-TLS), which uses
certificates for both server authentication and client authentication; and
Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP
v2), which uses certificates for server authentication and password-based
credentials for client authentication."

I think this means that there's a PEAP-TLS that's separate from EAP-TLS and
PEAP-MS-CHAP v2, but there seems to be very little (or none) discussion about
the benefits of PEAP-TLS relative to EAP-TLS.

Steve

mobilemobilejwyr&

Oh, Steve, BTW, thanks for the IPSec info.

Steve

steven l umbach

In my opinion that part of the article is wrong and I believe it is
referring to EAP-TLS when it talks about certificates for BOTH user and
computer. TLS is used when the user uses MSCHAPV2 for authentication which
is why the IAS server needs a certificate so that the wireless client can
set up the secure TLS tunnel before the user authenticates. The article in
the link below may shed some light on the subject. I believe that PEAP can
be referred to as both PEAP-TLS and PEAP-MSCHAPV2 though if the user uses
PEAP and a user certificate/smart card instead of user credentials then
MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. You will
see that when you configure 802.1x on a computer as you go to the adapters
network properties/authentication and select PEAP and then go to properties
select authentication method there are two choices - secured password
(EAP-MSCHAPV2) or smart card or other certificate. --- Steve

http://www.microsoft.com/technet/itsolutions/network/wifi/peap.mspx

s pidgorny mvp

Steve,

Sure I can control what computers can access the network with PEAP - as with
EAP, only those in the "allowed" group on the RADIUS.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

mobilemobilejwyr&

Thanks for your reply, Svyatoslav.

So, is there a PEAP-TLS protocol separate from EAP-TLS and PEAP-MS-CHAP v2?
If so, is PEAP-TLS better than EAP-TLS? Any concerns with PEAP-TLS?

Thanks for any help,
Steve

steven l umbach

Thanks for pointing that out. I believe that was introduced with SP4 for
Windows 2000 which then showed a dial in propery on the computer account and
then allowed computers to be included in the Windows Group in Remote Access
Policy? --- Steve

s pidgorny mvp

I really cannot define "better" in this context. EAP-TLS credentials are
separate from Windows user name/password and managed differently - that is
good if you use account lockout policy and wish to avoid remote account
lockout through unsuccessful authentication attempts in PEAP, or similar
attacks.

Other risks are entirely perceived and even Cisco salespeople fail to
explain why PEAP is worse than their favourite of the day. BTW Cisco likes
TTLS now. I have little doubt that someone will come up with Trusted, Truely
Secure Transport Layer Security (TTS-TLS) very soon but for now I prefer
PEAP for simplicity of rollout.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-