If you want to understand basics about 802.1X/EAP concept please refer this.
EAP only describes the headers that can be used to identify typical packets of an authentication dialog. (request, challenge, success, failure). But the original EAP does not describe the authentication method. The flavors of EAP does..
Different flavors of EAP, identified by different names mention the different authentication methods (the way authentication occurs)..
Most commonly used EAP types are EAP-TLS, PEAP & EAP-FAST..
EAP-PEAP
EAP-PEAP (Protected EAP) is an authentication mechanism which has 2 phases involved..
1st phase will create a tunnel using the server certificate.
2nd phase will exchange the identities.
Note:-
Certificate is a public key verified by a trusted authority.
When EAP-PEAP is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).
(01) The client sends 802.11 Open Authentication Request
(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request
(04) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
Phase 1
(05) The client sends the EAPoL Start (this is optional)
(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC (here this can be a fake ID)
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(09) The RADIUS server sends its certificate to the client through AP/WLC
(10) The client generates a Master Encryption Key and encrypts it using the server certificate and sends it to the RADIUS server
Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).
Phase 2
At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..
When EAP-PEAP is used Following steps will take place..
First 4 steps are common in any EAP method (basic wireless connectivity).
(01) The client sends 802.11 Open Authentication Request
(02) AP sends 802.11 open Authentication Response
(03) The client then sends the Association Request
(04) AP sends Association Response
At this point AP blocks all traffic from the supplicant until authentication completes..
Phase 1
(05) The client sends the EAPoL Start (this is optional)
(06) AP/WLC continues with an EAP message requesting the Supplicant Identity (username)
(07) The client sends its Identity to AP/WLC (here this can be a fake ID)
(08) AP/WLC forwards the Supplicant Identity to the RADIUS server
(09) The RADIUS server sends its certificate to the client through AP/WLC
(10) The client generates a Master Encryption Key and encrypts it using the server certificate and sends it to the RADIUS server
Now both the client and the RADIUS server have a way to encrypt the messages they exchange. But only the server is authenticated (by its certificate). So the client still needs to be authenticated. Therefore a second authentication phase starts (EAP inside the 1st EAP tunnel, thus the name Protected EAP) where the client is authenticated using a username and password with MSCHAPv2 (for PEAPv0) or GTC (for PEAPv1).
Phase 2
(10) RADIUS server asks client to send credentials to authenticate
(11) The client forwards the credentials to RADIUS server (this is the real username and password)
Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'
(12) RADIUS server generates the PMK (Pairwise Master Key)
(13) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(14) WLC use the PMK to generate encryption keys for the client traffic
(11) The client forwards the credentials to RADIUS server (this is the real username and password)
Now RADIUS server can derive the main encryption key for the client's traffic. This key is called the 'Pairwise Master Key'
(12) RADIUS server generates the PMK (Pairwise Master Key)
(13) RADIUS server forwards the PMK to the AP/WLC with an authentication success message
(14) WLC use the PMK to generate encryption keys for the client traffic
Note:-
RADIUS server does not keep the PMK, it just generates it and hands it over to WLC & the client also generates the PMK which is identical to the PMK generated by the Authentication Server..
At this point, the work of the EAP-PEAP is done. But in real world (WPA/WPA2) there are some more steps to go to secure the traffic of the client. I will describe it in a later post about WPA/WPA2..
Someone eѕsentially lend a hand to make crіtically articles I'd state.
ReplyDeleteThat іs the first time I frequented your web page and up to now?
I surprised with the analysis you made to make this particular publish extraordinary.
Excellent process!
vіsit homepage : How To Password Protect Foldeг The Marine Way