Solved: Questions about P-EAP (TLS-Tunnel)

o-ziltener · ‎03-07-2005

Are both authentication processes (machine and user) done in the secure TLS-Tunnel?

How important is the client option "verify server-zertificate" within PEAP?

any input is very welcome

Oliver

verdann · ‎03-09-2005

The actual exchange of the authentication credential does take place within the TLS Tunnel - however in the initial EAP-START messages at the beginning of the 802.1x authentication the client has the option of sending a null string or the users actual username before the certificate exchange occurs to setup the tunnel. This behavior is specific to which supplicant you use, and its sometimes considered a privacy leak.

I consider it extremely important that the 'verify server-certificate' option is used. When this option isn't selected, the client will not authenticate the certificate and uses it only as material for setting up the TLS tunnel. This leaves your clients open to man in the middle attacks and other wireless AP spoofing attacks. That doesn't mean however that many sites don't use this option, since they often use self-signed certificates for their wireless radius authentication server and don't want to bother with installing its root certificate on all of their clients to properly authenticate it.

- mike

View solution in original post

verdann · ‎03-09-2005

The actual exchange of the authentication credential does take place within the TLS Tunnel - however in the initial EAP-START messages at the beginning of the 802.1x authentication the client has the option of sending a null string or the users actual username before the certificate exchange occurs to setup the tunnel. This behavior is specific to which supplicant you use, and its sometimes considered a privacy leak.

I consider it extremely important that the 'verify server-certificate' option is used. When this option isn't selected, the client will not authenticate the certificate and uses it only as material for setting up the TLS tunnel. This leaves your clients open to man in the middle attacks and other wireless AP spoofing attacks. That doesn't mean however that many sites don't use this option, since they often use self-signed certificates for their wireless radius authentication server and don't want to bother with installing its root certificate on all of their clients to properly authenticate it.

- mike