Re: W2K PEAP MSCHAPV2 and IAS Certifcates
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 Dec 2005 11:37:51 -0800
Hi there --
About your comments:
> Thank you James but I'm still a little confused with server
> authentication. The IAS or Radius Server is being authenticated by the
> certificate. Which has been created by the Certificate Authority
> service on that very server.
The IAS server uses the server certificate to prove its identity to client
computers. And although you might personally have deployed your CA on the
same computer as the IAS server, many organizations do not deploy their CAs
this way, they install Certificate Services on a separate computer (or
computers, if they have a large organization with many CAs). In either
case, the location where you install Certificate Services doesn't affect
IAS -- they are two totally separate services and operate independently of
each other, regardless where they are installed. But yes you are correct
that the server certificate is issued by the Certification Authority to the
IAS server.
About these comments:
> The server must have a certificate to prove it's identity so that the
> client knows the server is valid, is this correct?
Yes, that is correct.
About these comments:
> If the server is
> part of a domain where the user account exists why would that not be
> enough to validate the server. I mean if the client authenticates to
> the server why must the server still prove it's identity to the
> client. It seems redundant.
The client computer doesn't have a method to absolutely and securely
determine the domain membership of the IAS server. Remember that the client
computer is on the *outside* of the RADIUS client -- the network access
server -- which is the wireless access point other RADIUS clients are VPN
servers, authenticating switches, and dial-up servers). So the client
cannot "see" the IAS server, which is *inside* the network, or "behind" the
network access server/RADIUS client. All communications between the client
computer and the IAS server go through the network access server, as such:
Client computer --->>> RADIUS client/network access server --->>> IAS
server or proxy
Mutual authentication protects client computers from connecting to rogue
RADIUS clients and servers that are set up by hackers. If a hacker should
set up rogue servers and the unknowing user on the client types in user
name and password and sends it to the rogue authenticating server, then the
hacker has obtained user account credentials and can log onto the network.
This security problem is thus solved (or at least it is seriously
mitigated) by the fact that there is mutual authentication, with the IAS
server required to prove its identity to the client computer.
"=?Utf-8?B?Q2l0b1Q=?=" <CitoT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:262F5B6D-B5BD-421F-B48C-555184CEB57B@xxxxxxxxxxxxx:
> Thank you James but I'm still a little confused with server
> authentication. The IAS or Radius Server is being authenticated by the
> certificate. Which has been created by the Certificate Authority
> service on that very server.
>
> So, as the client, the user in this case, logs into the domain he must
> enter the proper credentials to be authenticated, I get that part.
> The server must have a certificate to prove it's identity so that the
> client knows the server is valid, is this correct? If the server is
> part of a domain where the user account exists why would that not be
> enough to validate the server. I mean if the client authenticates to
> the server why must the server still prove it's identity to the
> client. It seems redundant. Am I missing something here?
>
> Thanks,
> CitoT
>
> "James McIllece [MS]" wrote:
>
>> "=?Utf-8?B?Q2l0b1Q=?=" <CitoT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> news:40CD56BD-686D-4003-9B38-7433A7FCCF67@xxxxxxxxxxxxx:
>>
>> > Can someone explain how W2k IAS Server certificates are used when
>> > XP Sp2 client is set up with 802.1X authentication, PEAP-MSCHAP V2.
>> > Client does not seem to use/need certificate just IAS Server, why?
>> > Thanks all!
>> >
>>
>> PEAP-MS-CHAP v2 is designed so that user authentication is performed
>> with passwords, while server authentication is performed with a
>> server certificate. Therefore mutual authentication occurs -- the
>> client authenticates the server and the server authenticates the
>> client or user.
>>
>> The reason for the design of the authentication method is that it is
>> easier to deploy than an authentication method such as EAP-TLS, where
>> user authentication is performed with certificates. In the
>> circumstance of EAP- TLS, you must deploy a full PKI and distribute
>> certificates to users and/or computers, which can be both complex and
>> expensive.
>>
>> You can find more information on PEAP in the following whitepaper:
>>
>>
>> "The Advantages of Protected Extensible Authentication Protocol
>> (PEAP): A Standard Approach to User Authentication for IEEE 802.11
>> Wireless Network Access"
>> http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- Re: W2K PEAP MSCHAPV2 and IAS Certifcates
- From: James McIllece [MS]
- Re: W2K PEAP MSCHAPV2 and IAS Certifcates
- Prev by Date: Re: Concern about wireless security
- Next by Date: Re: Concern about wireless security
- Previous by thread: Re: W2K PEAP MSCHAPV2 and IAS Certifcates
- Next by thread: Concern about wireless security
- Index(es):
Relevant Pages
|
Loading
