Solved: Re: PEAP and Integrity Client

aoshea · ‎10-22-2007

Dear Support,

Looking at deploying PEAP, via WZC client and MS-CHAP v2.

The desktop team would like to know what rules need to be configured on the Integrity client for PEAP authentication.

Can anyone help me please?

thanks in advance.

I always rate helpful posts.

Regards, Adrian.

erikszewczyk · ‎10-22-2007

802.1x authentication happens (primarily) at layer 2, there are no ports to open on the client(s).

In fact, prior to 802.1x authentication you dont get access to the network medium past layer 1; your clients wont even have IP address yet (or be allowed DHCP requests).

Erik

View solution in original post

rnigam · ‎10-22-2007

A WPA suite is always a good option for message integrity. Both WPA/WPA2 do MIC through TKIP and AES, which would be an answer to your query.

aoshea · ‎10-22-2007

Many thanks for the update, I total agree with your recommendations, but from a client firewall perspective (i.e. the integrity client) what ports would i need to allow for peap authentication ... i.e. is it over http (tcp port 80), https (tcp port 443), etc.

Your assistance is appreciated.

Thanks again.

Regards,

Adrian

erikszewczyk · ‎10-22-2007

802.1x authentication happens (primarily) at layer 2, there are no ports to open on the client(s).

In fact, prior to 802.1x authentication you dont get access to the network medium past layer 1; your clients wont even have IP address yet (or be allowed DHCP requests).

Erik

aoshea · ‎10-22-2007

Many thanks Erik, so hopefully no configuration necessary of the integrity client.

many thanks adrian

erikszewczyk · ‎10-22-2007

That's correct, there should be no client (software) firewall configuration.

Erik

aoshea · ‎10-22-2007

I wish it was as simple as that, unfortunately all laptops (the wireless users) will have the integrity client, so not sure where to go from here, as since checkpoint has purchased integrity the free support has gone!

But as you have pointed out, this happens at layer 2, so not sure if the integrity client gets involved at this point?

thanks again.

regards adrian

erikszewczyk · ‎10-22-2007

Correct me if I'm wrong (I'm not very familier with these client firewall products), but as I understand it they are all layer-3/4 firewalls.

That being the case none of them will effect the 802.1x authentication/authorization process.

aoshea · ‎10-22-2007

I agree, but for some reason the windows team who do the image for the laptop need me to provide them with what is needed on the integrity client. By as it is layer 2 i'm not sure if rules need to be defined. Suspect the only way to be sure would be to put a sniffer on the client.

Thanks again for your assistance.

regards, Adrian.

erikszewczyk · ‎10-22-2007

I know this isnt exactly an all encompasing list but it's about the best thing I could find:

http://www.checkpoint.com/products/enterprise/comparison_chart.html

For what it's worth the Integrity firewall does do some application layer filtering.

I would tell your Windows build team that no settings are needed and just test prior to deployment (you're going to know quickly if it isnt working). I would be very suprised if the client had issues because of this.

aoshea · ‎10-22-2007

Hi Eric,

Thanks again for your assistance, this is a good page to work from.

Thanks again for your efforts it is appreciated.

All the best for the testing!

Thanks and regards,

Adrian.