Security

We now have an 802.1x wireless SSID. I looking for a source that can tell me in detail how this authentication occurs. We are using the following:

Termination EAP-Type: eap-peap

Termination Inner EAP-Type: eap-mschapv2

We are terminating on the controller

Use Windows RADIUS and an Active Directory server

We have 2 RADIUS servers and we had to terminate on the controller to get the fail-through to work on AOS 6.2.1.2

I don't understand what "inner EAP" is and can't find a resource to explain it. I would love to have a details list of stepes that take place for the type of authentication.

Thanks for your help,

PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication methods which provide user or device authentication.

http://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol

When you use EAP-MSCHAPV2 as an inner type means that you don't require a client certificate but need a server certificate and the clients need a password instead.

The PEAP (outer) creates a TLS tunnel to secure this transaction over the network.

Very helpful!!! Thank you.

With PEAP-MSCHAPv2, it is important to always configure the client to validate the server certificate. Many people turn this off for troubleshooting and then don't turn it back on. Also, many people think it eases the client configuration piece but in reality you are bypassing the server authentication part of the PEAP process which is important for securing client credentials.