Re: eap-tls and peap-tls
From: Will (william.bain_at_orange.net)
Date: 10/26/04
- Previous message: Sam Salhi [MSFT]: "Re: Can Windows dialer (XP/2000) use PEAP?"
- In reply to: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Next in thread: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Reply: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Messages sorted by: [ date ] [ thread ]
Date: 26 Oct 2004 05:25:56 -0700
thanks Sam,
all works fine.
but I do have a couple more questions if anyone can help...
I am using XP SP1, W2K IAS SP4, Cisco AP1200, the authentication
methods are peap-mschapV2 and peap-tls (PKI)
1) when selecting properties of peap under the authentication tab in
wireless connection settings in XP SP1 there is an option to validate
server certificate when connecting. This option also appears in the
"configure" option of the authentication method which is selected from
the bottom of the same page if you select the configure "smart card or
other certificate" option - are they doing the same thing..??
2) probably not really a question for this group but…. When using
machine and user certificates (using peap-tls) does the IAS server
validate these certificates against the subordinate CA for each
request or does it use the AD to check the certificate/ user account.
The enterprise CA is turned off as recommended by MS. If I loose my
subordinate CA do we just loose revocation or will the peap-tls
authentication all stop? I'm struggling to understand the whole
authentication process with the above and understand the impact of
loosing part of the CA service.
Thanks in advance
"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message news:<#K7NSEkuEHA.2012@TK2MSFTNGP15.phx.gbl>...
> PEAP-EAP-TLS offers an additional layer of protection even for heavy-weight
> authentication protocols like EAP-TLS Which is pretty secure on it's own
>
> PEAP-EAP-TLS allows you to use a Cert based (compared to password based
> PEAP-EAP-MSCHAPv2) which has it's own advantages. For example the users,
> don't need to know any credentials to be equipped with this secure
> authentication method.
>
> Another advantage of PEAP-EAP-TLS, is that it offers FastReconnect ability.
> Something that has been an issue for EAP-TLS. With fast reconnect, your
> supplicants are able to authenticate a fraction of the time that is needed
> to do a full authentication.
>
> The disadvantage of course is that it's really heavy-weight too, and that it
> requires a certificate on the client
>
> To configure PEAP-EAP-TLS, all you have to do is go to the PEAP
> configuration dialog, Click Add and select EAP-TLS. (on the server and on
> the client)
>
> Hope this helps, if you need any additional information please feel
> encouraged to post more questions
>
> --
> =============================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> =============================================
>
> "William Bain" <wbain@orange.net> wrote in message
> news:uLMmLTRuEHA.1272@TK2MSFTNGP12.phx.gbl...
> > I'm trying to figure out the differences between eap-tls and peap-tls and
> > what the advantages and disadvantages would be of each. From my
> > understanding peap-tls offers additional protection for the initial eap
> > transaction, but I can't see a way of configuring peap-tls on the IAS box
> > as
> > the peap selection defaults to MSCHAP, yet on the clients I can select
> > eap-tls or peap with certs. My environment will be SP SP1 (some SP2
> > clients)
> > with IAS on Windows 2000 SP4 and using PKI for machine and user
> > validation.
> >
> > Many thanks
> >
> >
> >
> >
- Previous message: Sam Salhi [MSFT]: "Re: Can Windows dialer (XP/2000) use PEAP?"
- In reply to: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Next in thread: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Reply: Sam Salhi [MSFT]: "Re: eap-tls and peap-tls"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
