Hi guys,
I was wondering if anybody can help me understand the relationship between
MPPE and MSCHAPv2 as they relate specifically to PEAP authentication. A
little background -- I am looking at deploying 802.1x on some switches. The
RADIUS server integrated into the environment uses PEAP and runs MS IAS. In
the IAS configuration of PEAP, MSCHAPv2 is used for the authentication.
There are other options for specifying encryption and MPPE is enabled.
Now....
I understand that MPPE is typically used for data confidentiality
(encryption) on point to point links. That makes sense -- You can
authenticate a PPP link using MSCHAPv2 and then generate keying material to
encrypt the actual data on the PPP link. I get that, and have even
configured it in a lab.
What I don't get is how MPPE applies to the PEAP authentication mechanism.
The first step of PEAP is nailing up a secure TLS tunnel so that the
MSCHAPv2 authentication inside the TLS tunnel is protected by an encryption
cipher. Once the MSCHAPv2 authentication passes, I would think at that
point the user is authenticated and the job is done. What would be the
point of MPPE here? I'm not sure where it would fit or what it would even
encrypt since there is really no PPP connection. My understanding was that
the MSCHAPv2 was just being used for authentication inside EAP.
Thoughts?
-- Regards, Joe Astorino CCIE #24347 Blog: http://astorinonetworks.com "He not busy being born is busy dying" - Dylan Blogs and organic groups at http://www.ccie.netReceived on Thu Jun 16 2011 - 16:28:12 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART