PEAP - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

PEAP

Description:

PEAP Protected Extensible Authentication Protocol What is PEAP? PEAP is an authentication protocol designed for wireless LANs PEAP makes use of 2 well known and well ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 12
Provided by: AAF2
Learn more at: http://cs.uccs.edu
Category:
Tags: peap | password

less

Transcript and Presenter's Notes

Title: PEAP


1
PEAP
  • Protected Extensible Authentication Protocol

2
What is PEAP?
  • PEAP is an authentication protocol designed for
    wireless LANs
  • PEAP makes use of 2 well known and well studied
    protocols
  • EAP - Extensible Authentication Protocol
  • TLS - Transport Layer Security

3
EAP Extensible Authentication Protocol
  • EAP is an authentication protocol that typically
    rides on top of another protocol such as 802.1x,
    RADIUS, PPP, etc.
  • EAP allows the authenticator to serve as the user
    authentication carrier between the client and the
    authentication server.
  • EAP limitations are well known and resolved by
    PEAP.

4
TLS Transport Layer Security
  • TLS provides the encryption, compression and data
    integrity.
  • TLS is based on the SSL 3.0 Protocol
    Specification and is often described as a
    improved version of SSL.
  • TLS is well documented and has been extensively
    analyzed with no significant weaknesses found.

5
Why do we need PEAP?
  • A wireless access point (WAP) broadcasts all of
    its traffic so that anyone within broadcast range
    can passively collect the data. (Ethereal,
    AirSnort)
  • Wireless encryption is weak and can be decrypted
    in a short period of time. (AirSnort, WEPcrack)
  • Physical access of the network is not necessary
    to connect to the network. Knowledge of the SSID
    and possibly a valid MAC address is all that is
    required. (NetStumbler)
  • Users have no way of knowing if they are
    connecting to a rogue access point setup as part
    of a man-in-the-middle attack.

6
How does PEAP fix these problems?
  • The transmission of user-sensitive authentication
    data is encrypted within a TLS tunnel.
  • Data within the TLS tunnel cannot be decrypted
    without the TLS master secret.
  • If a client does not successfully authenticate,
    its connection is dropped by the access point.
  • The TLS master secret is not shared with the
    access point, so rogue access points will be
    unable to decrypt messages protected by PEAP.
  • Server-side Public-Key Infrastructure based
    digital certificates are used to authenticate EAP
    Servers.

7
How does PEAP work?
  • Part 1 Establish TLS tunnel

Client
WAP
Authentication Server
EAP Server
Request Connection
Request Connection
Do you support PEAP?
Yes
Server PKI certificate servers TLS preferences
Certificate verified clients TLS preferences
or OK
TLS settings accepted TLS finished
  • TLS tunnel established

8
How does PEAP work?
  • Part 2 EAP authentication within the TLS tunnel

Client
WAP
EAP Server
Authentication Server
Response to TLS tunnel established
Request clients identity
Clients identity (tells server domain to contact)
Servers requested EAP authentication type
Clients requested EAP authentication type or OK
EAP method accepted, request authentication
Clients UserID and Password
UserID password
EAP authentication success
Success
  • TLS tunnel torn down

9
PEAP fast reconnect
  • Allows wireless clients to move between access
    points on the same network without repeated
    requests for authentication.
  • Requires that access points be configured to
    forward authentication requests to the same EAP
    server. If the original EAP server is not
    available, full authentication must occur.
  • TLS session IDs are cached by the client and
    server. Because the server only caches TLS
    session IDs that successfully authenticate in
    part 2, if the client can reestablish the TLS
    session, it is not necessary to re-authenticate
    the client against the authentication server.

10
Security concerns
  • Authentication data transmitted between the NAS
    and the authentication server is not encrypted by
    the TLS tunnel. This channel must be protected
    from man-in-the-middle attacks.
  • Data transmitted after PEAP authentication is not
    encrypted. The TLS tunnel is only used for
    authentication.
  • Implementation of PEAP must be setup correctly.
    Poor configuration can allow for several severe
    vulnerabilities.

11
References
  • http//www.globecom.net/ietf/draft/draft-josefsson
    -pppext-eap-tls-eap-02.html
  • http//www.oreillynet.com/lpt/a/2827
  • www.nwfusion.com/news/2002/0923peap.html
  • http//www.ietf.org/rfc/rfc2246.txt
  • http//www.microsoft.com/technet/treeview/default.
    asp?url/technet/prodtechnol/windowsserver2003/pro
    ddocs/entserver/sag_ias_protocols_peap.asp
  • http//www.faqs.org/rfcs/rfc2284.html
  • http//www.cisco.com/en/US/netsol/ns110/ns175/ns17
    6/ns178/netqa09186a008010018c.html
Write a Comment
User Comments (0)
About PowerShow.com