Showing results for 
Search instead for 
Did you mean: 

EAP-PEAP how is password hash transferred from WLC to RADIUS Server Securely?

Hi there

I have implemented a Wifi Network where I am hosting my RADIUS server externally  and I have some concerns are regarding the communication between our WLC and the external RADIUS server.

1 - I am finding that the RADIUS server certificate always appears and the user is required to explicitly trust the server certificate, even when properly signed by a public CA.

How can I ensure that the connecting device always trusts the RADIUS server certificate?

Does the CN of the cert need to match the SSID name and thus does the SSID name need to be a public DNS domain?

2 - I know EAP-PEAP uses TLS to create an encrypted tunnel to protect user passwords, however I can see via packet tracing that that tunnel is from CLIENT --> AP and not from AP to RADIUS server. The traffic from WLC to RADIUS are 4 UDP packets which are the Access Request packets.

I can see the TLS tunnel being setup when capturing packets from user device however from our firewall edge I only see the RADIUS Access-Request and Challenge packets from WLC and RADIUS.

These packets are UDP and not encrypted, they hold the WLC internal IP and host name along with the username in cleartext. How is the actual password transmitted to the RADIUS server at this stage? i.e under which RADIUS attribute is the password held and how is the hash calculated?

Content for Community-Ad