Title: PEAP
1PEAP
- Protected Extensible Authentication Protocol
2What is PEAP?
- PEAP is an authentication protocol designed for
wireless LANs - PEAP makes use of 2 well known and well studied
protocols - EAP - Extensible Authentication Protocol
- TLS - Transport Layer Security
3EAP Extensible Authentication Protocol
- EAP is an authentication protocol that typically
rides on top of another protocol such as 802.1x,
RADIUS, PPP, etc. - EAP allows the authenticator to serve as the user
authentication carrier between the client and the
authentication server. - EAP limitations are well known and resolved by
PEAP.
4TLS Transport Layer Security
- TLS provides the encryption, compression and data
integrity. - TLS is based on the SSL 3.0 Protocol
Specification and is often described as a
improved version of SSL. - TLS is well documented and has been extensively
analyzed with no significant weaknesses found.
5Why do we need PEAP?
- A wireless access point (WAP) broadcasts all of
its traffic so that anyone within broadcast range
can passively collect the data. (Ethereal,
AirSnort) - Wireless encryption is weak and can be decrypted
in a short period of time. (AirSnort, WEPcrack) - Physical access of the network is not necessary
to connect to the network. Knowledge of the SSID
and possibly a valid MAC address is all that is
required. (NetStumbler) - Users have no way of knowing if they are
connecting to a rogue access point setup as part
of a man-in-the-middle attack.
6How does PEAP fix these problems?
- The transmission of user-sensitive authentication
data is encrypted within a TLS tunnel. - Data within the TLS tunnel cannot be decrypted
without the TLS master secret. - If a client does not successfully authenticate,
its connection is dropped by the access point. - The TLS master secret is not shared with the
access point, so rogue access points will be
unable to decrypt messages protected by PEAP. - Server-side Public-Key Infrastructure based
digital certificates are used to authenticate EAP
Servers.
7How does PEAP work?
- Part 1 Establish TLS tunnel
Client
WAP
Authentication Server
EAP Server
Request Connection
Request Connection
Do you support PEAP?
Yes
Server PKI certificate servers TLS preferences
Certificate verified clients TLS preferences
or OK
TLS settings accepted TLS finished
8How does PEAP work?
- Part 2 EAP authentication within the TLS tunnel
Client
WAP
EAP Server
Authentication Server
Response to TLS tunnel established
Request clients identity
Clients identity (tells server domain to contact)
Servers requested EAP authentication type
Clients requested EAP authentication type or OK
EAP method accepted, request authentication
Clients UserID and Password
UserID password
EAP authentication success
Success
9PEAP fast reconnect
- Allows wireless clients to move between access
points on the same network without repeated
requests for authentication. - Requires that access points be configured to
forward authentication requests to the same EAP
server. If the original EAP server is not
available, full authentication must occur. - TLS session IDs are cached by the client and
server. Because the server only caches TLS
session IDs that successfully authenticate in
part 2, if the client can reestablish the TLS
session, it is not necessary to re-authenticate
the client against the authentication server.
10Security concerns
- Authentication data transmitted between the NAS
and the authentication server is not encrypted by
the TLS tunnel. This channel must be protected
from man-in-the-middle attacks. - Data transmitted after PEAP authentication is not
encrypted. The TLS tunnel is only used for
authentication. - Implementation of PEAP must be setup correctly.
Poor configuration can allow for several severe
vulnerabilities.
11References
- http//www.globecom.net/ietf/draft/draft-josefsson
-pppext-eap-tls-eap-02.html - http//www.oreillynet.com/lpt/a/2827
- www.nwfusion.com/news/2002/0923peap.html
- http//www.ietf.org/rfc/rfc2246.txt
- http//www.microsoft.com/technet/treeview/default.
asp?url/technet/prodtechnol/windowsserver2003/pro
ddocs/entserver/sag_ias_protocols_peap.asp - http//www.faqs.org/rfcs/rfc2284.html
- http//www.cisco.com/en/US/netsol/ns110/ns175/ns17
6/ns178/netqa09186a008010018c.html