Re: eap-tls and peap-tls
From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 10/27/04
- Next message: Sam Salhi [MSFT]: "Re: Can Windows dialer (XP/2000) use PEAP?"
- Previous message: frankpintosr: "remote access policy profile filtering"
- In reply to: Will: "Re: eap-tls and peap-tls"
- Next in thread: William Bain: "Re: eap-tls and peap-tls"
- Reply: William Bain: "Re: eap-tls and peap-tls"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 26 Oct 2004 22:22:31 -0700
For question 1: Under normal conditions yes, they do the same thing. But
potentially, one server might do the external validation, while another
server is doing the internal validation. and in this case, this would come
in handy
for question 2: The CRL can be retrieved from Root or subordinate. But it
has to be in the certificate itself. so if your subordinate CA goes down,
your Root can handle it. If you have multiple subordinates already
configured then they will take care of this as well. The only issue arises
only when all your PKI servers are down, or you bring a Subordinate CA after
the cert is published.
IAS requests the services from PKI to do the validation, the account lookup
only is done by IAS.
--
=============================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=============================================
"Will" <william.bain@orange.net> wrote in message
news:7ea9634e.0410260425.66ffda2f@posting.google.com...
> thanks Sam,
>
> all works fine.
>
> but I do have a couple more questions if anyone can help...
>
> I am using XP SP1, W2K IAS SP4, Cisco AP1200, the authentication
> methods are peap-mschapV2 and peap-tls (PKI)
>
> 1) when selecting properties of peap under the authentication tab in
> wireless connection settings in XP SP1 there is an option to validate
> server certificate when connecting. This option also appears in the
> "configure" option of the authentication method which is selected from
> the bottom of the same page if you select the configure "smart card or
> other certificate" option - are they doing the same thing..??
>
> 2) probably not really a question for this group but.. When using
> machine and user certificates (using peap-tls) does the IAS server
> validate these certificates against the subordinate CA for each
> request or does it use the AD to check the certificate/ user account.
> The enterprise CA is turned off as recommended by MS. If I loose my
> subordinate CA do we just loose revocation or will the peap-tls
> authentication all stop? I'm struggling to understand the whole
> authentication process with the above and understand the impact of
> loosing part of the CA service.
>
> Thanks in advance
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:<#K7NSEkuEHA.2012@TK2MSFTNGP15.phx.gbl>...
>> PEAP-EAP-TLS offers an additional layer of protection even for
>> heavy-weight
>> authentication protocols like EAP-TLS Which is pretty secure on it's own
>>
>> PEAP-EAP-TLS allows you to use a Cert based (compared to password based
>> PEAP-EAP-MSCHAPv2) which has it's own advantages. For example the users,
>> don't need to know any credentials to be equipped with this secure
>> authentication method.
>>
>> Another advantage of PEAP-EAP-TLS, is that it offers FastReconnect
>> ability.
>> Something that has been an issue for EAP-TLS. With fast reconnect, your
>> supplicants are able to authenticate a fraction of the time that is
>> needed
>> to do a full authentication.
>>
>> The disadvantage of course is that it's really heavy-weight too, and that
>> it
>> requires a certificate on the client
>>
>> To configure PEAP-EAP-TLS, all you have to do is go to the PEAP
>> configuration dialog, Click Add and select EAP-TLS. (on the server and
>> on
>> the client)
>>
>> Hope this helps, if you need any additional information please feel
>> encouraged to post more questions
>>
>> --
>> =============================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> =============================================
>>
>> "William Bain" <wbain@orange.net> wrote in message
>> news:uLMmLTRuEHA.1272@TK2MSFTNGP12.phx.gbl...
>> > I'm trying to figure out the differences between eap-tls and peap-tls
>> > and
>> > what the advantages and disadvantages would be of each. From my
>> > understanding peap-tls offers additional protection for the initial
>> > eap
>> > transaction, but I can't see a way of configuring peap-tls on the IAS
>> > box
>> > as
>> > the peap selection defaults to MSCHAP, yet on the clients I can select
>> > eap-tls or peap with certs. My environment will be SP SP1 (some SP2
>> > clients)
>> > with IAS on Windows 2000 SP4 and using PKI for machine and user
>> > validation.
>> >
>> > Many thanks
>> >
>> >
>> >
>> >
- Next message: Sam Salhi [MSFT]: "Re: Can Windows dialer (XP/2000) use PEAP?"
- Previous message: frankpintosr: "remote access policy profile filtering"
- In reply to: Will: "Re: eap-tls and peap-tls"
- Next in thread: William Bain: "Re: eap-tls and peap-tls"
- Reply: William Bain: "Re: eap-tls and peap-tls"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
