Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
5
Helpful
1
Replies

Questions about P-EAP (TLS-Tunnel)

Go to solution
o-ziltener
Level 1
Level 1

‎03-07-2005 09:34 PM - edited ‎07-04-2021 10:32 AM

Are both authentication processes (machine and user) done in the secure TLS-Tunnel?

How important is the client option "verify server-zertificate" within PEAP?

any input is very welcome

Oliver

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
verdann
Level 1
Level 1

‎03-09-2005 12:55 PM

The actual exchange of the authentication credential does take place within the TLS Tunnel - however in the initial EAP-START messages at the beginning of the 802.1x authentication the client has the option of sending a null string or the users actual username before the certificate exchange occurs to setup the tunnel. This behavior is specific to which supplicant you use, and its sometimes considered a privacy leak.

I consider it extremely important that the 'verify server-certificate' option is used. When this option isn't selected, the client will not authenticate the certificate and uses it only as material for setting up the TLS tunnel. This leaves your clients open to man in the middle attacks and other wireless AP spoofing attacks. That doesn't mean however that many sites don't use this option, since they often use self-signed certificates for their wireless radius authentication server and don't want to bother with installing its root certificate on all of their clients to properly authenticate it.

- mike

View solution in original post

1 Reply 1

Go to solution
verdann
Level 1
Level 1

‎03-09-2005 12:55 PM

The actual exchange of the authentication credential does take place within the TLS Tunnel - however in the initial EAP-START messages at the beginning of the 802.1x authentication the client has the option of sending a null string or the users actual username before the certificate exchange occurs to setup the tunnel. This behavior is specific to which supplicant you use, and its sometimes considered a privacy leak.

I consider it extremely important that the 'verify server-certificate' option is used. When this option isn't selected, the client will not authenticate the certificate and uses it only as material for setting up the TLS tunnel. This leaves your clients open to man in the middle attacks and other wireless AP spoofing attacks. That doesn't mean however that many sites don't use this option, since they often use self-signed certificates for their wireless radius authentication server and don't want to bother with installing its root certificate on all of their clients to properly authenticate it.

- mike

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card