none
NPS using PEAP and PAP for MAC Authorization

    Question

  • I have some questions dealing with MAC authorization, PAP, and PEAP. At my company our current wireless configuration is using a Win2k3 IAS server with certificate based EAP-PEAP authentication using MSCHAPV2 but also unencrypted authentication via PAP. The individual responsible for this configuration has long since left the company and I am responsible for implementing a new wireless network using a similar config, which leads me to posting on this forum.

    In this config we have two factors of authentication. The first would be mac authorization, which requires unencrypted authentication using PAP and the other is AD authenticated using PEAP-MSCHAPv2. I can actually check the logs and see the clients authenticating with the AD user account and AD MAC account. Here are the questions.

    PAP is selected as the authentication method and PEAP as the EAP type in the same policy to hopefully force both forms of authentication. The first question is which form of authentication is actually being implemented, PAP, PEAP-MSCHAPv2, or both? Second if it is PAP my concern is that will the AD authentication be sent across in plain text as the mac authorization is? And is the MAC authorization accompanying the AD authentication providing further security at all or is it superfluous?

    If you need me to clarify the situation further let me know.

    On another note I couldn't verify my account to upload images or include any links.

    Saturday, January 5, 2013 4:22 PM

All replies

  • Hi,

    Thanks for your post.

    With Windows 2003 IAS server, I would recommend that we create two Access Policy use different authentication type. And change the order of the two policies, ensure clients try to authenticate with the right method you want. PEAP-MSCHAPv2 first, and then PAP, vice versa.

    In Windows 2008/R2 NPS server, you can add more authentication method in one network policy. It will use the first method to authenticate request which list in the top of these methods. You can move Up or Down, to change the order of method to use. 


    Best Regards,
    Aiden

     


    Aiden Cao
    TechNet Community Support

    Wednesday, January 9, 2013 5:33 AM
    Moderator
  • Aiden,

    Thank you for responding.

    My question was in regards to the mechanism behind PEAP and PAP on the NPS. However, I believe I was able to find the answers I sought. In the configuration of PEAP and PAP the AP will send the MAC credentials first over plain text (PAP) to the NPS and will follow with the other AD account credentials using PEAP-MSCHAPv2. So in answer to my questions I believe it authenticates using both PAP and PEAP-MSCHAPv2 and only MAC authorization is sent over plain text. I am not positive about this but from checking the logs on the old IAS server I could see a hashed value displayed in the logs for when it authenticates the AD credentials. Whether the 2 factors of authentication is unnecessary or not is a matter of opinion because it does add a layer of security, albeit very small, and if I really would like to implement improved security measures using 802.1x I should deploy a PKI and use EAP-TLS rather than MSCHAPv2.

    If you or anyone else can validate my response please do so.

    • Edited by Stuart L B Friday, January 11, 2013 8:56 PM
    Friday, January 11, 2013 8:56 PM
  • Thanks for this post! Dealing with Security+ 501
    Thursday, May 24, 2018 3:13 PM