|
Although the majority of wireless deployments within large organizations are
evaluating or utilizing EAP-TLS, there may be a few instances in which a Public
Key Infrastructure, a requirement for EAP-TLS, is not deployed. In these unique
cases password-based 802.1x implementation would be useful. Some organizations
are currently evaluating or have deployed LEAP (Lightweight Extended
Authentication Protocol) for wireless security, a proprietary password-based
implementation from Cisco. Microsoft does not support LEAP on the
wireless client or within Internet Authentication Service (RADIUS) since LEAP
is a proprietary solution and uses an EAP type that is currently not supported
on any Access Point (AP) other than a Cisco AP. LEAP is not a published
protocol and it has not been standardized by the Internet Engineering Task
Force (IETF).
The Protected EAP (PEAP) authentication scheme defined within the 802.1x
implementation provides password-based authentication. PEAP will be an
open and highly secure standard which provides high entropy keys that are
difficult to mount dictionary attacks against. The PEAP protocol will require a
certificate on the RADIUS server although it does not require a certificate on
the client.
The PEAP protocol basically operates as follows:
-
Client uses the Transport Level Security (TLS) protocol with the server to
validate the server and generate a high entropy key to create a TLS encrypted
channel.
-
Client then uses MS-CHAP v2 over this encrypted channel to enable server
validation.
Because the challenge/response packets are sent over a TLS encrypted channel,
the MS-CHAP v2 password is not exposed to offline dictionary attacks.
PEAP is provided in Windows XP Service Pack 1 and in the Windows Server 2003
Family.
PEAP is also provided for Windows 2000 wireless clients and for the Windows 2000
Internet Authentication Service (IAS) with Microsoft 802.1x Authentication
Client.
|
