Wednesday, October 23, 2019

Drowning in EAP confusion please someone throw me a lifeline

I've spent half the day trying to understand NPS and Authentication Methods. All the books say nice things, but when you stop and think about it, they make no sense at all. Askingfor help is a last resort, but please someone throw me a bone.

Just imagine for a minute there's a switch / AP, a client and an NPS Radius Server.

  1. If you setup 802.1x for MSCHAPv2, you're going to get prompted for a username and password, you type the details, the password is used to hash a nonce, the NPS does the same on the other side, and if they match you have proof of password and network access. Nice and simple.
  2. If you setup 802.1X for Protected EAP, Clients use the Certificate to trust the identity of the NPS. TLS encapsulation is negotiated for the authentication process. Clients can then use MsCHAPv2 to authenticate knowing the connection is encrypted in a TLS tunnel. Nice and simple.
  3. If you setup 802.1X for EAP-TLS. The client and the server both have certificates signed by CAs that must be trusted on either end. Then certificates are exchanged such as with TLS, which allows the session to be encrypted.

There's 3 problems I have

  1. Do you still need AD credentials or is the certificate enough? One resource states that the Username and Password are exchanged first. After that the TLS session is established using certificates. This makes no sense, why would you send credentials before the session?
  2. Some resources say you cannot have Certificates and AD authentication at the same time. But wouldn't you need certificates to encrypt the 'session' and AD credentials for the accountability part of AAA. Or is the certificate being given to AD user object enough.
  3. The term TLS Session keeps being used. What does this even mean? Some resources make it sound like the session is there purely to encrypt MsCHAPv2 credential proof. Other resources make it sound like there is a persistent session. Which is confusing again because RADIUS is meant to be AAA, the Authentication and Auth make sense, but for there to be accounting this implies RADIUS is being always updated with information. How does that work? Are all packets proxied to RADIUS first and that is the session?

I'm just mostly confused with the order of everything. It makes sense with EAP-MSCHAPv2 and PEAP. Not EAP-TLS.

If anyone knows or even has a good resource that explains it that would be super helpful.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)