EAP-in-EAP authentication
Last Post: January 2, 2009:
-
I was wondering what exactly happens in the 'EAP-in-EAP Authentication' part of the PEAP process. I have studied the flow diagram in the CWSP Official Study guide and it illustrates a backward and forward flow between the Supplicant and the Authentication Server but no description as to what exactly happens there.
Am I correct in assuming that a Transport Layer Security (TLS) tunnel is established and the the keys are then exchanged? or am I missing something? I've tried to find any white papers on the subject but I can't seem to find more technical info as to what actually goes on in the 'EAP-in-EAP Authentication'.
Hope anyone out there in 802.11 land can help me :) -
To hopefully answer my own question or by getting a little bit closer...
Am I correct in deducing that in PEAP (PEAPv0) what actually happens in the EAP-in-EAP authentication is either EAP-MD5 or PEAP-EAP-TLS authentication? What about PEAPv1-EAP-GTC?
Any hints, tips, advice, pointers, help would be most welcome...
Sincerly
Rowly -
I like to think about it (in the case of PEAP, EAP-TTLS or even EAP-FAST) as being "EAP-in-TLS." All of these form a TLS tunnel where you can then perform some inner auth...such as another EAP exchange. Theoretically, this could be anything that the protocol supports even unencrypted exchanges. Remember, all of the inner auth process is encapsulated in the TLS tunnel so even with the unencrypted exchanges it is still encrypted. ...hopefully that makes sense.
I don't have the book handy or I'd try to reference what you're looking at. Hope that answers it. -
Many thanks for your reply ... it has certainly made me think a little clearer. I guess I'm a visual person and like diagrams ;-) Do you have that reference book handy so I can have a look? I keep reading about EAP-in-EAP authentication but I guess the geek in me needs to know exactly what goes on in that process ;-)
-
For further information, I liked the following books:
AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility - John Wiley and Sons
Implementing 802.1x Security Solutions - Jim Geier
Good luck with your reading. -
Many thanks Adrian. I will endevour to get a copy of those books... Happy New Year!
:D
- 1