Content deleted Content added
No edit summary |
m WP:CHECKWIKI error fixes using AWB (9773) |
||
Line 21:
* PEAPv1/EAP-GTC
PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication methods which provide user or device authentication.
Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and doesn’t support PEAPv1, Microsoft simply calls PEAPv0 PEAP without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft only supports the EAP-MSCHAPv2 method and not the EAP-SIM method.
However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that Cisco and other third-party server and client software don’t support. PEAP-EAP-TLS requires client installation of a [[client-side]] [[digital certificate]] or a more secure smartcard. PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS. Ultimately, PEAPv0/EAP-MSCHAPv2 is by far the most prevalent implementation of PEAP, due to the integration of PEAPv0 into [[Microsoft Windows]] products. Cisco's CSSC client now supports PEAP-EAP-TLS.
Line 36:
As with other 802.1X and EAP types, dynamic encryption can be used with PEAP.
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering [[MS-CHAPv2]] of handshakes
== PEAPv1 with EAP-GTC ==
PEAPv1/[[EAP-GTC]] was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel. Even though Microsoft co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-GTC has no native [[Microsoft Windows|Windows]] OS support. Since Cisco has typically recommended lightweight EAP protocols such as [[Lightweight Extensible Authentication Protocol|LEAP]] and [[EAP-FAST]] protocols instead of PEAP, the latter has not been as widely adopted as some had hoped.
With no interest from Microsoft to support PEAPv1 and no promotion from Cisco, PEAPv1 authentication is rarely used.{{when|date=April 2010}}
| |||