3-22
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 3 Configuring EAP Types
How PEAP-GTC Works
apparent. These weaknesses include a lack of protection of user identity, notification messages, or the
EAP negotiation; no standardized mechanism for key exchange; no built-in support for fragmentation
and reassembly; no support for acknowledged success or failure indicators; and a lack of support for fast
reconnect.
Protected Extensible Authentication Protocol (PEAP) addresses these weaknesses by wrapping the EAP
protocol within a Transport Layer Security (TLS) channel. Any EAP method running within PEAP is
provided with the following:
•
Identity protection—The identity exchange is encrypted, and client certificates are provided after
negotiation of the TLS channel.
•
Header protection—Because the EAP method conversation is conducted within a TLS channel, the
EAP header is protected against modification.
•
Protected negotiation—Within PEAP, the EAP conversation is authenticated; integrity and replay
are protected on a per-packet basis; and the EAP method negotiation that occurs within PEAP is
protected, as are error messages sent within the TLS channel.
•
Support for key exchange—To provide keying material for a wide range of link-layer ciphersuites,
EAP methods should provide a key hierarchy that generates authentication and encryption keys, as
well as initialization vectors. By relying on the TLS key derivation method, PEAP provides the
required keying material for any EAP method running within it.
•
Packet fragmentation and reassembly—Because EAP does not include support for fragmentation
and reassembly, individual EAP methods need to include this capability. By including support for
fragmentation and reassembly within PEAP, methods leveraging PEAP do not need to support
fragmentation and reassembly on their own.
•
Acknowledged success or failure indications—By sending success or failure indications within the
TLS channel, PEAP provides support for protected termination of the EAP conversation.
Acknowledged indications prevent an attacker from carrying out denial-of-service (DOS) attacks by
spoofing EAP failure messages or by tricking the EAP peer into accepting a rogue NAS by spoofing
an EAP success message.
•
Fast reconnect—Where EAP is used for authentication in wireless networks, the EAP method
should be able to quickly reauthenticate when the client is roaming between access points. PEAP
supports fast reconnect by leveraging the TLS session resumption facility. Any EAP method running
within PEAP can use fast reconnect.
•
Dictionary attack resistance—By conducting the EAP conversation within a TLS channel, PEAP
protects an EAP method that might be subject to offline dictionary attacks if the EAP conversation
had been conducted in the clear.
How PEAP-GTC Works
PEAP-GTC works in two phases.
In phase 1, an authentication server performs TLS authentication to create an encrypted tunnel and to
achieve server-side authentication in a manner that is similar to Web server authentication that uses
Secure Sockets Layer (SSL). When phase 1 of PEAP is successfully completed, all data is encrypted,
including all sensitive user information.
Phase 2 is extensible. The client can authenticate by using the GTC method within the TLS tunnel.