topic Re: PEAP /MSCHAP V2 in Wireless

PEAP /MSCHAP V2

satish_chowdhary — Sat, 03 Jul 2021 20:28:13 GMT

Hi All, i have PEAP with MSCHAPV2 setup, my windows supplicant can authenticate to ACS with our without the Validate certificate tick enabled.

I read that certificates are optional with PEAP and mandatory in EAP-TLS

Can some pl confirm the above.

Thanks in adv

Re: PEAP /MSCHAP V2

Rob Huffman — Thu, 11 Jan 2007 14:09:21 GMT

Hi Satish,

Here is a good doc that confirms this (Look at Chart#1);

RADIUS server certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- Yes

Cisco PEAP (EAP-GTC)- Yes

Microsoft EAP-TLS- Yes

--------------------------------------

Client certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- No

Cisco PEAP (EAP-GTC)- No

Microsoft EAP-TLS- Yes

---------------------------------------

From this good doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_guide09186a008046dc81.html

Hope this helps!

Rob

Please remember to rate helpful posts.....

Re: PEAP /MSCHAP V2

Scott Pickles — Mon, 15 Jan 2007 19:16:27 GMT

This is not entirely correct. PEAP does require a certificate, but on the server side only. The clients do not require a cert. In EAP-TLS, however, the client does need to verify the server cert. You can GOOGLE your question or try Microsoft's TechNet. There is a good article on setting up PEAP from scratch with Win2k3 server, look on TechNet for it. Also, look at the chart found here:

http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html -

you will come across the part where you create a server-side cert. You will then be taken through the client config that shows validation of the cert is not required.

Hope that helps.

Scott

Re: PEAP /MSCHAP V2

satish_chowdhary — Mon, 15 Jan 2007 23:04:48 GMT

Hi Scott, i am with you i installed a Cert on our ACS and that bit is fine, what i dont get is does the windows supplicant need a cert installed on the client machine ??cuz the tick for validate certificate is of no use, as the clients can connect with or without it

Re: PEAP /MSCHAP V2

Scott Pickles — Fri, 19 Jan 2007 19:02:46 GMT

Satish -

You are correct in that the certificate is not needed on the client. Just uncheck the "Validate Server..." part. As for it still not working without validating server, have you checked your RADIUS/IAS logs? Are you seeing any logged attempts? In addition, is your AP set up as a RADIUS client under IAS with correct shared secret? You also need to configure your SSID with the following:

Open with EAP

Network with No Addition

Encryption Mandatory WPA

Then, under the encryption manager, for Cipher select TKIP.

Be sure and also define a default EAP server, which is your RADIUS/IAS server. Make certain your shared secret keys are correct.

You can obtain the following document which walks you through a lot of this stuff on a Win2K3 Server at the following address:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

Hope this helps.

Regards,

Scott