Security

Reply
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Understanding 802.1x

We now have an 802.1x wireless SSID. I looking for a source that can tell me in detail how this authentication occurs. We are using the following:

 

Termination EAP-Type: eap-peap

Termination Inner EAP-Type: eap-mschapv2

We are terminating on the controller

Use Windows RADIUS and an Active Directory server

We have 2 RADIUS servers and we had to terminate on the controller to get the fail-through to work on AOS 6.2.1.2

 

I don't understand what "inner EAP" is and can't find a resource to explain it. I would love to have a details list of stepes that take place for the type of authentication.

 

Thanks for your help,

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Understanding 802.1x

 

PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication methods which provide user or device authentication.

 

http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

 

When you use EAP-MSCHAPV2 as an inner type means that you don't require a client certificate but need a server certificate and the clients need a password instead.

 

The PEAP (outer) creates a TLS tunnel to secure this transaction over the network.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 64
Registered: ‎03-21-2011

Re: Understanding 802.1x

Very helpful!!! Thank you.

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Understanding 802.1x

With PEAP-MSCHAPv2, it is important to always configure the client to validate the server certificate. Many people turn this off for troubleshooting and then don't turn it back on. Also, many people think it eases the client configuration piece but in reality you are bypassing the server authentication part of the PEAP process which is important for securing client credentials.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: