Re: W2K PEAP MSCHAPV2 and IAS Certifcates

---

• From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 20 Dec 2005 14:44:47 -0800

---

"=?Utf-8?B?Q2l0b1Q=?=" <CitoT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:40CD56BD-686D-4003-9B38-7433A7FCCF67@xxxxxxxxxxxxx:

> Can someone explain how W2k IAS Server certificates are used when XP
> Sp2 client is set up with 802.1X authentication, PEAP-MSCHAP V2.
> Client does not seem to use/need certificate just IAS Server, why?
> Thanks all!
>

PEAP-MS-CHAP v2 is designed so that user authentication is performed with
passwords, while server authentication is performed with a server
certificate. Therefore mutual authentication occurs -- the client
authenticates the server and the server authenticates the client or user.

The reason for the design of the authentication method is that it is easier
to deploy than an authentication method such as EAP-TLS, where user
authentication is performed with certificates. In the circumstance of EAP-
TLS, you must deploy a full PKI and distribute certificates to users and/or
computers, which can be both complex and expensive.

You can find more information on PEAP in the following whitepaper:


"The Advantages of Protected Extensible Authentication Protocol (PEAP): A
Standard Approach to User Authentication for IEEE 802.11 Wireless Network
Access"
http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

---

• Prev by Date: Re: IAS certificate
• Next by Date: Concern about wireless security
• Previous by thread: IAS Extension DLL & PEAP
• Next by thread: Re: W2K PEAP MSCHAPV2 and IAS Certifcates
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: WCF security advice (and clarification) needed ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ... (microsoft.public.dotnet.framework.webservices) Re: SSPI Kerberos for delegation ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ... (comp.protocols.kerberos) Re: Aironet 1200/Radius Help Needed ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ... (microsoft.public.internet.radius) Re: ESMTP: STARTTLS with "target domain" parameter(s) ... Some services use "client certificates" as a substitute to authentication. ... server on which you host multiple independent (read as AS / autonomious ... (comp.mail.sendmail) L2TP/IPSEC - Please help - Im losing it!! ... Windows 2000 IAS server for Radius authentication. ... I cannot get certificates working. ... client authentication certificate stored in the local store. ... (microsoft.public.win2000.ras_routing)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet  > microsoft.public.internet.radius  > 2005-12