Re: PEAP, MSCHAPv2 and MPPE from Joe Astorino on 2011-06-16 (Ccielab archives 06/2011)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Thu, 16 Jun 2011 17:27:23 -0400

Thanks guys! It just didn't make sense as to what that would do, but you
guys have helped me validate that. I appreciate it!

On Thu, Jun 16, 2011 at 5:03 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Joe,
>
> On Thu, Jun 16, 2011 at 16:28:12, Joe Astorino wrote:
> > Subject: OT: PEAP, MSCHAPv2 and MPPE
> >
> > Hi guys,
> >
> > I was wondering if anybody can help me understand the relationship
> > between MPPE and MSCHAPv2 as they relate specifically to PEAP
> > authentication. A little background -- I am looking at deploying
> > 802.1x on some switches. The RADIUS server integrated into the
> > environment uses PEAP and runs MS IAS. In the IAS configuration of
> > PEAP, MSCHAPv2 is used for the authentication.
> > There are other options for specifying encryption and MPPE is enabled.
> > Now....
> >
> > I understand that MPPE is typically used for data confidentiality
> > (encryption) on point to point links. That makes sense -- You can
> > authenticate a PPP link using MSCHAPv2 and then generate keying
> > material to encrypt the actual data on the PPP link. I get that, and
> > have even configured it in a lab.
> >
> > What I don't get is how MPPE applies to the PEAP authentication
> mechanism.
> > The first step of PEAP is nailing up a secure TLS tunnel so that the
> > MSCHAPv2 authentication inside the TLS tunnel is protected by an
> > encryption cipher. Once the MSCHAPv2 authentication passes, I would
> > think at that point the user is authenticated and the job is done.
> > What would be the point of MPPE here? I'm not sure where it would fit
> > or what it would even encrypt since there is really no PPP connection.
> > My understanding was that the
> > MSCHAPv2 was just being used for authentication inside EAP.
> >
>
> I don't think it has anything to do with the PEAP when PPTP is not
> involved. The authentication should report something similar to the
> following regardless of encryption being checked there or not. But since it
> doesn't really hurt anything to leave strong encryption checked, might be
> best to just do so.
>
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> I had the same results in eventvwr with No Encryption, Strong Encryption,
> or all options checked.
>
> -ryan
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Thu Jun 16 2011 - 17:27:23 ART

This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART