11-04-2004 02:38 PM - edited 07-04-2021 10:08 AM
Can anyone tell me advantages/disadvantages of using one type of PEAP over another? If anyone has a nice, non-biased link that can sum it up that would be appreciated as well. Thanks.
11-05-2004 11:01 AM
You can check out wifi planet: http://www.wi-fiplanet.com/tutorials/article.php/3075481
This will give you an idea of each EAP method, how it is deployed, and what is needed.
11-05-2004 12:25 PM
That is a good article. However, it does not really address the specific differences, advantages/disadvantages of MS PEAP vs. Cisco PEAP.
11-05-2004 12:45 PM
I doubt that you will find a such an article. Most articles will be written for marketing purposes - so only the good parts will be seen. The advantages/disadvantages will be more subjective than objective. Cisco LEAP must use Aironet clients or CCX clients. MS PEAP requires certificates be loaded onto the clients and a CA available on the network. So it is a trade off. LEAP doesn't use certificates, but only certian clients/Radius Servers support LEAP. MS-PEAP requires clients capable of handling certificates and if you don't have a local CA, you will need to pay for them. MS-PEAP may only be handled by certian Radius servers. It usually comes down to these details (how much money can we spend on this) that determines which protocol to go with.
11-05-2004 01:08 PM
Have you gone through the PEAP FAQ:
http://www.cisco.com/en/US/partner/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801764fa.html
Just in case that you do not have access to the above URL. I attach the document in pdf format.
I think that PEAP-GTC does not provide the propietary Windows management function, like single signon, logon script, and etc.
11-05-2004 03:17 PM
One thing we ran into. MS PEAP sends the username in the clear, not in the encrypted tunnel. We saw this on both win2k & XP.
Cisco tac stated (we didn't test Cisco PEAP) that Cisco PEAP sends both the username and password in the encrypted tunnel.
11-05-2004 05:56 PM
All 802.1x types behave the same regarding clear text user name. When a wireless client initiates the association process, it sends out a frame called EAPOL start (EAPOL stands for EAP over LAN). The AP responds with identity request. Then, the wireless clients respond with a user name in clear text. I do not know any 802.1x types send password in clear text.
You can configure machine authentication on PEAP MS-XHAP v2; so that it sends machine name in clear text.
11-08-2004 09:00 AM
I am surprised to hear this about PEAP. I know LEAP had this issue of sending the username in plaintext, thus leading to it's recent vulnerabilities of offline dictionary attacks. The application asleap is said to be able to break the LEAP protocol pretty quickly. However, one of the big advantages EAP-FAST has over LEAP is it does not send the username in plain text. However, if PEAP also sends the username in plain text I don't see why it's any more secure than LEAP.
11-09-2004 02:40 PM
The username is transmitted in clear text before the TLS tunnel is built. Machine ID is normally sent in PEAP-MS CHAP v2. I think that mac address is used in EAP-FAST.
After a secured tunnel is built, the username is encrypted. Thus, wireless sniffer is unable to decode the username.
11-11-2004 01:32 PM
I'm having a little bit of trouble understanding what you meant. If the username is transmitted in clear text before the TLS tunnel is built, then how come a wireless sniffer could not detect the username?
11-11-2004 03:50 PM
You are absolutely correct that wireless sniffer can capture the username before the TLS tunnel is built. However, there is a user authentication in the TLS tunnel. I meant that the user name in the TLS tunnel cannot be captured.
11-11-2004 07:26 PM
Glad that cleared up. My next question for clarification is does PEAP (either version) send the username in clear text initially? If it does, why is it any more secure than LEAP?
11-12-2004 08:34 AM
During my testing with MS-PEAP I had machine authentication on. When the computer boots, the computer performs a machine authentication (before the ctrl-alt-del screen appears) into the AD domain. I can see the machine ID (computer name) in the clear before the tunnel is created. Once the user logs into the computer, another EAP authentication occurs. During this authentication the username is sent in the clear before the tunnel is created.
All of Microsofts documentation on PEAP gives the perception that all authentication credentials are transmitted within the tunnel. Which is not the case.
I have not tested the Cisco PEAP client but when I opened a Cisco case (600215327) the TAC stated:
Whether the username is sent in the clear in phase one of PEAP authentication, depends upon the client you are using. The Cisco Aironet PEAP client sends the username through the SSL tunnel only. The initial identity, used in phase one and which is sent in the clear, is MAC address of the end-user client with "PEAP_" as a prefix. The Microsoft PEAP client does not provide identity protection; the Microsoft PEAP client sends the username in the clear in phase one of PEAP authentication.
Rob
11-12-2004 01:37 PM
As per my previous postings, all 802.1x types (including PEAP and LEAP) send out user name in clear text.
LEAP only uses one username. Thus, the LEAP user name is sent in clear text.
You can use two user names (i.e. machine ID and user ID) in PEAP MS-CHAP v2. Machine ID is sent in clear text. User ID is encrypted.
11-12-2004 04:49 PM
Then I must be doing something wrong. If I perform a user only authentication with mschap-v2, the user ID is sent in the clear before the tunnel is created. If I do both machine and user, the machine ID AND user ID are both sent in the clear. The machine and user authentications are handled as 2 separate EAP authentications. How can I stop this?
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide