none
Very confused on authenciation concepts : EAP, PEAP, EAP-MSCHAPv2, ... RRS feed

  • Question

  • Hi,

    Yes, I'm really confused on some authentication concepts. I tried to do learn each of the possible VPN technologies (PPTP, L2TP/IPSEC, SSTP, IKEv2). Things alway start happily, until I get the authentication part. Despite of having recently obtained a CCNA, I'm still confused about EAP-related questions.

    My questions :

    1) What is EAP-based authentication ? When is it relevant to use it ?

    2) In Windows server, what is the difference between EAP-MSCHAPv2 and PEAP ?

    3) Can I (or, do I have to) use certificates with EAP-MSCHAPv2 ?

    4) Can I (or, do I have to) use certificates with PEAP ?

    Thanks in adavnce for any help. Note that my NPS server is a VM separated from the VPN's VM.

    Sunday, February 10, 2013 2:19 PM

Answers

  • 1) EAP is basically a framework and is used as transport the authentication protocol. Can be used for wireless and wired networks. It is NOT an authentication method on its own. So you can authenticate as you want, password, MD5, certificates, biometric....

    2) If you use EAP-MSCHAPv2, it means that your clients doesn't need to have a certificate, but your authentication server (NPS) has a certificate. Passwords from the clients are send using hashes to the authentication server. To protect these password hashes being send over the network, you can use PEAP which act as a TLS/SSL tunnel to protect the authentication traffic.

    3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.

    4) You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client. PEAP is used to protect to authentication traffic.

    Hope it helps

    Johan


    Johan Loos CISSP,MCT,ISO 27001 and others

    • Marked as answer by 朱鸿文 Monday, March 4, 2013 6:49 AM
    Monday, February 11, 2013 1:36 PM
  • I did loft of VPN Labs and Googling this week-end and yesterday night, trying to make it works with RADIUS and two separated machines (VPN server and NPS server).

    - It works very well with EAP-MSCHAPv2 (without issuing any certificate).

    - If I install a certificate on NPS server (or on the two servers), nothing works.

    I think, I will give up until I get a "step-by-step guide on deploying VPN and NPS with certificates on two separated servers".  So far ; all working examples with certificate I already saw have the the NPS and RRAS services deployed on the same machine.

    • Marked as answer by 朱鸿文 Monday, March 4, 2013 6:49 AM
    Tuesday, February 19, 2013 1:27 PM

All replies

  • 1) EAP is basically a framework and is used as transport the authentication protocol. Can be used for wireless and wired networks. It is NOT an authentication method on its own. So you can authenticate as you want, password, MD5, certificates, biometric....

    2) If you use EAP-MSCHAPv2, it means that your clients doesn't need to have a certificate, but your authentication server (NPS) has a certificate. Passwords from the clients are send using hashes to the authentication server. To protect these password hashes being send over the network, you can use PEAP which act as a TLS/SSL tunnel to protect the authentication traffic.

    3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.

    4) You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client. PEAP is used to protect to authentication traffic.

    Hope it helps

    Johan


    Johan Loos CISSP,MCT,ISO 27001 and others

    • Marked as answer by 朱鸿文 Monday, March 4, 2013 6:49 AM
    Monday, February 11, 2013 1:36 PM
  • Thanks Johan,

    To make sure I do understand, I'll try to wrap it up in terms of concepts definitions :

    A) EAP is kind-of meta-protocol specialized in encapsulating classical authentication protocols (example : MSCHAv2). When EAP is used : a main negotiation phase is executed for establishing the authentication tunnel ; the second phase is the execution of the classical authentication protocol.

    B) PEAP refers to securing the EAP tunnel by using a certificate on the server side only (kind-of SSL).

    C) TLS refers to securing the tunnel by using certificates on both Server and Client sides (kind-of IPSEC with certificates).

    Monday, February 11, 2013 3:20 PM
  • Yes, in the authentication phase, the authentication protocol is negotiated from the client. Because the client can be configured to support multiple authentication methods.

    More details: http://technet.microsoft.com/en-us/network/cc917480

    EAP authentication is indeed protected by the certificate of the authentication server. For example in a wireless scenario, the wireless client will download the cert of the NPS and use this cert to create the secure tunnel.

    TLS and SSL are more or less the same, but the client does need to have a certificate (this is optional).


    Johan Loos CISSP,MCT,ISO 27001 and others

    Monday, February 11, 2013 3:38 PM
  • 3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.

    4) You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client.

    Are you telling me that : whatever EAP method I use, I will need (at least) a certificate on the authentication server (NPS) side ? I did understand that for EAP-MSCHAPv2 (without any mention of "TLS" or "PEAP") I do not need a certificate, neither on client nor on server side.

    Monday, February 11, 2013 4:02 PM
  • Hi - As Johan indicated, I believe that a certificate is required on the NPS-side of the communication to establish the SSL tunnel.  Once established, the selected authentication mechanism is used.  The authentication can be account and password or a client certificate.

    ~fr3dd


    fr3dd

    Tuesday, February 12, 2013 4:13 AM
  • If you only use EAP-MSCHAPv2 without PEAP, you don't need a certificate on the NPS. Mutual authentication is done via passwords.

    Johan Loos CISSP,MCT,ISO 27001 and others

    Tuesday, February 12, 2013 7:51 AM
  • Hi Johan,

    Thank you for very helpful answers. EAP concept seems now very clear to me. I'll continue doing my VPN/NPS labs. But, there still is something that it is not clear for me, on where certificates are deployed. If a VPN server is deployed on a separate machine acting as Radius Client and the the NPS server is deployed as a separate machine acting as Radius Server :

    i) - I did understand that the PEAP or EAP-TLS server certificate is deployed on the NPS machine ?

    ii) - I guess also that (to complete the chain) I need to deploy a certificate on the VPN machine ?

    Note : I did couple of VPN/NPS labs ; most of the time the two functionnalities are deployed on the same machine. But the therory says that, with Radius's help, the two things can be splitted into two machines.

    Tuesday, February 12, 2013 1:40 PM
  • i) Before you can configure PEAP on the NPS server, this server must have a server certificate with the purpose of Server Authentication in your certificate template. Because you need to select the certificate in your Network Policy.

    ii)The VPN server doesn't need to have a certificate, because your VPN server will forward the authentication traffic to the RADIUS server. Instead of a wireless network, you don't have to add a certificate on your wireless access point.

    Best practice is to have these roles seperated. You need to configure your VPN server with the IP address of your NPS Server and add your VPN server as RADIUS client on the NPS server. Create a network policy with the authentication method used.


    Johan Loos

    Tuesday, February 12, 2013 2:52 PM
  •  You need to configure your VPN server with the IP address of your NPS Server and add your VPN server as RADIUS client on the NPS server.

    Thanks for your answer. But I do not understand what you mean by : "configure your VPN server with the IP address of your NPS Server" ?

    If VPN and NPS are two separate machines, each of them has its own IP address. VPN is the Radius Client, NPS is Radius Server. So far, it's what I did understand.

    Tuesday, February 12, 2013 3:22 PM
  • If the VPN and NPS role is on the same server, you still need to add RADIUS client to your NPS server. Which is in your case its own IP address. And in RRAS (VPN), configure the IP address of your NPS server, which is again the same IP address in your case.

    But best practices is to seperate these roles


    Johan Loos

    Wednesday, February 13, 2013 7:57 AM
  • Thanks Johan for your last answer,

    I do not remember having done some explicit configuration of RADIUS when NPS dn VPN roles are on the same machine. I thought that configuration is seemless (implicit) when the two roles are on the same machine.

    Wednesday, February 13, 2013 1:28 PM
  • You have to configure NPS and VPN. Nothing is done automatically ;)

    Johan Loos

    Thursday, February 14, 2013 12:05 PM
  • I did loft of VPN Labs and Googling this week-end and yesterday night, trying to make it works with RADIUS and two separated machines (VPN server and NPS server).

    - It works very well with EAP-MSCHAPv2 (without issuing any certificate).

    - If I install a certificate on NPS server (or on the two servers), nothing works.

    I think, I will give up until I get a "step-by-step guide on deploying VPN and NPS with certificates on two separated servers".  So far ; all working examples with certificate I already saw have the the NPS and RRAS services deployed on the same machine.

    • Marked as answer by 朱鸿文 Monday, March 4, 2013 6:49 AM
    Tuesday, February 19, 2013 1:27 PM
  • So far, some good news !

    I did things very simple. I did that NAP VPN enforcement lab http://www.microsoft.com/en-us/download/details.aspx?id=5536 without doing NAP specific aspects. I just wanted to have a simple VPN lab which separates VPN server from NPS server and uses RADIUS and PEAP.

    ++++ Sucessful steps ++++

    - step 1 : No certificates on client, VPN and NPS servers => EAP-MSCHAPv2 with PPTP works

    - step 2 : Certificate on NPS server only => PEAP (with EAP-MSCHAPv2) with PPTP works.

    - step 3 : Certificates on VPN and NPS servers => PEAP (with EAP-MSCHAPv2) with SSTP works.

    - step 4 : I did not do that step. But, I think if I add IKE application usage on VPN's certificate, L2TP/IPSEC will probably work.

     

    ----- Not so Good step -----

    If I install a certificate on the client and try to run PEAP (with "smart card or Certficate" selected) ; I get in trouble, with error 812 on message box on the client side.

     

    ???? Questions  ????

    1) From a working PEAP-EAP-MSCHAP2, what changes do I have to do for making PEAP-TLS work ?

    2) I did deploy Administrator or User certificate (by Webenroll) on my Win7 client. Do that kind of certificates do the job for PEAP ?

    3) Could the same client certificate be used both for PEAP and for L2TP/IPSEC ?

     

    Thanks in advance for any help !

    Friday, March 8, 2013 9:33 PM
  • I definitely giveup on that subject ! Until I get clear information on how to configure advanced VPN/NPS deployments.

    By advanced I mean : EAP, EAP-TLS and PEAP with clients using certificate as security credential.


    Sunday, March 10, 2013 3:01 PM