I’m curious as to what type of “secure” EAP the following configuration would classified.
I used a test lab to try out some ideas I have been reading on. The lab has about 5 machines (laptops) and a single hypervisor running several Windows Server VMs.
I have configured a PKI for an Active Directory domain using an offline root CA and an online intermediate CA. All domain-joined clients automatically enroll a CSR to the intermediate CA and have it signed. Also, all domain-joined clients are configured to trust the root CA certificate. So, all domain clients have a trusted machine certificate to present to one another.
I created a test SSID on our wireless infrastructure which uses 802.1X authentication to a Windows Network Policy Server in the test lab. The NPS server has a server certificate in the domain’s PKI to present to clients to establish TLS. It also authenticates the clients based on whether their machine certificate is trusted.
I used a GPO to configure client computers to auto-join the wireless network, setting the clients to only attempt to authenticate if the authenticator (and thus, RADIUS server behind the authenticator) presents a trusted certificate (and specifically in the chain of trust of my root CA, not any CA).
So, clients attempt to authenticate with the RADIUS server, establish a TLS tunnel to the server, and are authenticated based on their certificates.
It seems to me that this would be an example of Protected EAP (PEAP) which just so happens to authenticate based on client certificates. I don’t think this is EAP-TLS exactly since I don’t see any evidence that the TLS tunnel for authentication requires the client certificate in order to be established; rather, the certificate is used after the TLS tunnel is established simply as an EAP authentication mechanism. EAP-TLS would require both sides to have trusted certificates to establish the TLS tunnel, and then would pass on an authentication mechanism, right? Too, I suppose that this could be an example of EAP-TTLS? Still a bit confused on how to tell the difference between PEAP and EAP-TTLS.
Anyway, how would you all classify this kind of configuration? And would you consider such a network secure?
No comments:
Post a Comment