RE: PEAP, MSCHAPv2 and MPPE from Ryan West on 2011-06-16 (Ccielab archives 06/2011)

From: Ryan West <rwest_at_zyedge.com>
Date: Thu, 16 Jun 2011 21:03:02 +0000

Joe,

On Thu, Jun 16, 2011 at 16:28:12, Joe Astorino wrote:
> Subject: OT: PEAP, MSCHAPv2 and MPPE
>
> Hi guys,
>
> I was wondering if anybody can help me understand the relationship
> between MPPE and MSCHAPv2 as they relate specifically to PEAP
> authentication. A little background -- I am looking at deploying
> 802.1x on some switches. The RADIUS server integrated into the
> environment uses PEAP and runs MS IAS. In the IAS configuration of
> PEAP, MSCHAPv2 is used for the authentication.
> There are other options for specifying encryption and MPPE is enabled.
> Now....
>
> I understand that MPPE is typically used for data confidentiality
> (encryption) on point to point links. That makes sense -- You can
> authenticate a PPP link using MSCHAPv2 and then generate keying
> material to encrypt the actual data on the PPP link. I get that, and
> have even configured it in a lab.
>
> What I don't get is how MPPE applies to the PEAP authentication mechanism.
> The first step of PEAP is nailing up a secure TLS tunnel so that the
> MSCHAPv2 authentication inside the TLS tunnel is protected by an
> encryption cipher. Once the MSCHAPv2 authentication passes, I would
> think at that point the user is authenticated and the job is done.
> What would be the point of MPPE here? I'm not sure where it would fit
> or what it would even encrypt since there is really no PPP connection.
> My understanding was that the
> MSCHAPv2 was just being used for authentication inside EAP.
>

I don't think it has anything to do with the PEAP when PPTP is not involved. The authentication should report something similar to the following regardless of encryption being checked there or not. But since it doesn't really hurt anything to leave strong encryption checked, might be best to just do so.

Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

I had the same results in eventvwr with No Encryption, Strong Encryption, or all options checked.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 16 2011 - 21:03:02 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART