Hi Joe,
With ACS you simply use PEAP and MS-CHAPv2 for password challenge. There is
no need for additional encryption of MPPE. The one scenario I think of,
where this can be used is LEAP RADIUS Proxy. It is when you point your
wirelless clients to ACS and user database is on different server (like
IAS). Then you must secure that traffic between ACS and IAS somehow.
Here's the link
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_f
or_windows/4.0/user/guide/d.html#wp355968
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/6/16 Joe Astorino <joeastorino1982_at_gmail.com>
> Hi guys,
>
> I was wondering if anybody can help me understand the relationship between
> MPPE and MSCHAPv2 as they relate specifically to PEAP authentication. A
> little background -- I am looking at deploying 802.1x on some switches.
> The
> RADIUS server integrated into the environment uses PEAP and runs MS IAS.
> In
> the IAS configuration of PEAP, MSCHAPv2 is used for the authentication.
> There are other options for specifying encryption and MPPE is enabled.
> Now....
>
> I understand that MPPE is typically used for data confidentiality
> (encryption) on point to point links. That makes sense -- You can
> authenticate a PPP link using MSCHAPv2 and then generate keying material to
> encrypt the actual data on the PPP link. I get that, and have even
> configured it in a lab.
>
> What I don't get is how MPPE applies to the PEAP authentication mechanism.
> The first step of PEAP is nailing up a secure TLS tunnel so that the
> MSCHAPv2 authentication inside the TLS tunnel is protected by an encryption
> cipher. Once the MSCHAPv2 authentication passes, I would think at that
> point the user is authenticated and the job is done. What would be the
> point of MPPE here? I'm not sure where it would fit or what it would even
> encrypt since there is really no PPP connection. My understanding was that
> the MSCHAPv2 was just being used for authentication inside EAP.
>
> Thoughts?
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 16 2011 - 23:16:27 ART