topic Re: PEAP and Integrity Client in Wireless

PEAP and Integrity Client

aoshea — Sat, 03 Jul 2021 21:48:51 GMT

Dear Support,

Looking at deploying PEAP, via WZC client and MS-CHAP v2.

The desktop team would like to know what rules need to be configured on the Integrity client for PEAP authentication.

Can anyone help me please?

thanks in advance.

I always rate helpful posts.

Regards, Adrian.

Re: PEAP and Integrity Client

rnigam — Mon, 22 Oct 2007 11:33:02 GMT

A WPA suite is always a good option for message integrity. Both WPA/WPA2 do MIC through TKIP and AES, which would be an answer to your query.

Re: PEAP and Integrity Client

aoshea — Mon, 22 Oct 2007 12:16:29 GMT

Many thanks for the update, I total agree with your recommendations, but from a client firewall perspective (i.e. the integrity client) what ports would i need to allow for peap authentication ... i.e. is it over http (tcp port 80), https (tcp port 443), etc.

Your assistance is appreciated.

Thanks again.

Regards,

Adrian

Re: PEAP and Integrity Client

erikszewczyk — Mon, 22 Oct 2007 14:25:22 GMT

802.1x authentication happens (primarily) at layer 2, there are no ports to open on the client(s).

In fact, prior to 802.1x authentication you dont get access to the network medium past layer 1; your clients wont even have IP address yet (or be allowed DHCP requests).

Erik

Re: PEAP and Integrity Client

aoshea — Mon, 22 Oct 2007 14:36:38 GMT

Many thanks Erik, so hopefully no configuration necessary of the integrity client.

many thanks adrian

Re: PEAP and Integrity Client

erikszewczyk — Mon, 22 Oct 2007 14:50:23 GMT

That's correct, there should be no client (software) firewall configuration.

Erik

Re: PEAP and Integrity Client

aoshea — Mon, 22 Oct 2007 15:00:59 GMT

I wish it was as simple as that, unfortunately all laptops (the wireless users) will have the integrity client, so not sure where to go from here, as since checkpoint has purchased integrity the free support has gone!

But as you have pointed out, this happens at layer 2, so not sure if the integrity client gets involved at this point?

thanks again.

regards adrian

Re: PEAP and Integrity Client

erikszewczyk — Mon, 22 Oct 2007 15:06:03 GMT

Correct me if I'm wrong (I'm not very familier with these client firewall products), but as I understand it they are all layer-3/4 firewalls.

That being the case none of them will effect the 802.1x authentication/authorization process.

Re: PEAP and Integrity Client

aoshea — Mon, 22 Oct 2007 15:23:23 GMT

I agree, but for some reason the windows team who do the image for the laptop need me to provide them with what is needed on the integrity client. By as it is layer 2 i'm not sure if rules need to be defined. Suspect the only way to be sure would be to put a sniffer on the client.

Thanks again for your assistance.

regards, Adrian.

Re: PEAP and Integrity Client

erikszewczyk — Mon, 22 Oct 2007 15:41:39 GMT

I know this isnt exactly an all encompasing list but it's about the best thing I could find:

http://www.checkpoint.com/products/enterprise/comparison_chart.html

For what it's worth the Integrity firewall does do some application layer filtering.

I would tell your Windows build team that no settings are needed and just test prior to deployment (you're going to know quickly if it isnt working). I would be very suprised if the client had issues because of this.

Re: PEAP and Integrity Client

aoshea — Mon, 22 Oct 2007 18:25:29 GMT

Hi Eric,

Thanks again for your assistance, this is a good page to work from.

Thanks again for your efforts it is appreciated.

All the best for the testing!

Thanks and regards,

Adrian.