none
really confused about PEAP and MS-CHAP v2. Why sometimes they are separated and sometimes one is the option of the other one? RRS feed

  • Question

  • Hi,

    I'm trying to understand 802.1X authentications using a Windows Server 2012. I've done a deep research on the internet but I've seen that this topic is still confusing for a lot of people, as I seem to find always different informations.

    What's more confusing are actually all the settings inside the NPS, that keep repeating themselves but in different windows with different graphics, so I don't really understand their meaning.

    For example, creating a policy using the standard configuration from the first NPS' menu, it asks me this: 



    I can see that there is PEAP and EAP-MSCHAPv2. First question: shouldn't I find EAP-TLS too?

    But then, if I select PEAP and I click on "Configure" I get this window: 

    You can see below it says AGAIN "EAP-MS-CHAPv2" as "EAP type" of PEAP. What's the difference between this one and the previous one?

    But it's not finished yet. Once I've finished to create the Policy, I can modify its properties on the Network Policies side and under "Conditions" I can find again this: 

    Again a lot of different authentication methods, among which there is PEAP too (but it was PEAP already, no??), all of them unselected.

    And under that I can find also "Allowed EAP types" which AGAIN has PEAP and EAP-MS-CHAPv2: 

    And changing tab, under "Constraints", I will find this: 

    So, five times MS-CHAPv2 (and others)...and this really confuses me. Can someone please explain to me briefly all these options? MS-CHAPv2 and PEAP shouldn't be two different authentication methods? Why I see them separated or joined in every different window of NPS?

    Thank you in advance and sorry.

    Thursday, March 8, 2018 4:27 PM

All replies

  • Hi,

    Thanks for your question.

    1. From the post, actually, within the first, second and the last picture all are the same configuration of EAP type for Authentication.
    1. In the third picture, it means specifying authentication methods of the client requesting to connect.
    1. In the fourth picture, “Protected EAP (PEAP)” means identity authentication need to have the certificate, “Secured password ” means identity authentication don’t need to have the certificate.

    Difference between EAP-MSCHAPv2 and PEAP.

    1) EAP is basically a framework and is used as transport the authentication protocol. Can be used for wireless and wired networks. It is NOT an authentication method on its own. So you can authenticate as you want, password, MD5, certificates, biometric....

    2) If you use EAP-MSCHAPv2, it means that your clients doesn't need to have a certificate, but your authentication server (NPS) has a certificate. Passwords from the clients are send using hashes to the authentication server. To protect these password hashes being send over the network, you can use PEAP which act as a TLS/SSL tunnel to protect the authentication traffic.

    3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.

    4) You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client. PEAP is used to protect to authentication traffic.

    Please refer to the following link:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770622%28v%3dws.10%29

    Hope the information above helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 9, 2018 11:32 AM
  • Hi Giant,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 12, 2018 8:54 AM
  • Hi,

    Thanks for your question.

    1. From the post, actually, within the first, second and the last picture all are the same configuration of EAP type for Authentication.
    1. In the third picture, it means specifying authentication methods of the client requesting to connect.
    1. In the fourth picture, “Protected EAP (PEAP)” means identity authentication need to have the certificate, “Secured password ” means identity authentication don’t need to have the certificate.

    Difference between EAP-MSCHAPv2 and PEAP.

    1) EAP is basically a framework and is used as transport the authentication protocol. Can be used for wireless and wired networks. It is NOT an authentication method on its own. So you can authenticate as you want, password, MD5, certificates, biometric....

    2) If you use EAP-MSCHAPv2, it means that your clients doesn't need to have a certificate, but your authentication server (NPS) has a certificate. Passwords from the clients are send using hashes to the authentication server. To protect these password hashes being send over the network, you can use PEAP which act as a TLS/SSL tunnel to protect the authentication traffic.

    3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.

    4) You can use PEAP-EAP-MSCHAPv2 which use a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client. PEAP is used to protect to authentication traffic.

    Please refer to the following link:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770622%28v%3dws.10%29

    Hope the information above helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Hi Michael and thank you for your answer. Sadly it's still quite unclear to me.

    In your point 2, you say that using EAP-MSCHAPv2, means that the clients don't need to have a certificate, but the authentication server (NPS) does. What's the difference if I chose PEAP in the first screenshot instead of EAP-MSCHAPv2?

    Monday, March 12, 2018 1:26 PM
  • Hi Giant,

    Thanks for your update.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best regards,

    Michael



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Wednesday, March 14, 2018 10:24 AM
  • Hi Giant,

    Thanks for your update.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best regards,

    Michael



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thank you :) I've asked on Reddit too and it seems this topic is not confusing only to me. The NPS server is actually quite unclear to most of the people.

    Wednesday, March 14, 2018 10:49 AM
  • Hi Giant,

    Thanks for your update.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Your kind understanding is highly appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

    In addition, we can click on the following link to give some suggestions and any suggestion will be appreciated.

    https://windowsserver.uservoice.com/forums/295047-general-feedback

    Hope above information can help you.

    Sorry for the inconvenience and thanks for your understanding and support.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 15, 2018 6:55 AM
  • You copy-pasted this answer from another post!

    I know you did because your question answers "1, 2, 3 and 4" are the 4 direct answers to another post where the guy listed 4 questions and those were the 4 answers copy-pasted here.

    Then I see that when this guy was still confused (as he should be, since you didn't answer HIS question, you just posted the answer to some other guy's question), you replied by saying you needed to do some research.

    THIS is why we are all confused on the subject. Because people are posting answers when they don't even really know the answer. You should do research BEFORE you post an answer. Also, you should answer the actual question, not just copy some other answer from entirely different questions.


    Sunday, December 8, 2019 8:31 PM