The Cable Guy - July 2002

PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access

TechNet's The Cable Guy

By The Cable Guy

The recommended configuration for secure Windows wireless client access is the combination of the following:

  • Windows XP wireless clients

    Windows XP has built-in support for IEEE 802.11-based network access and IEEE 802.1X authentication using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)—a certificate-based authentication method.

  • Windows Server 2003 or Windows 2000 Active Directory domains

    Active Directory provides the computer and user accounts, dial-in properties, and groups to manage wireless access.

  • Windows Server 2003 or Windows 2000 Internet Authentication Service (IAS)

    IAS is a Remote Authentication Dial-In User Service (RADIUS) server that performs authentication, authorization, and accounting for many types of network access, including wireless.

  • A public key infrastructure (PKI) that uses Windows Server 2003 or Windows 2000 certification authorities (CAs)

    A PKI is used to issue certificates to the IAS server and the wireless clients for EAP-TLS authentication.

This configuration is described in the Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows article. Because many elements of the authentication infrastructure already exist, this configuration is suitable for medium to very large organizations. However, this configuration is not practical for a small business.

Secure wireless access for small businesses is obtained through the use of Protected EAP (PEAP) with the Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2) EAP type (known as PEAP with MS-CHAP v2), provided with Windows XP Service Pack 1 (SP1), Windows XP Service Pack 2 (SP2), Windows Server 2003, and Windows 2000 Service Pack 4 (SP4).

PEAP Overview

IEEE 802.1X uses EAP to authenticate network clients before allowing access to the network. Originally designed for Point-to-Point Protocol (PPP) connections, EAP allows you to create arbitrary authentication schemes to validate network access. The requesting access client and the authenticating server must first negotiate the use of a specific EAP authentication scheme, which is known as an EAP type. After the EAP type is agreed upon, EAP allows for an open-ended conversation between the access client and the authenticating server (usually a RADIUS server). The conversation consists of requests for authentication information by the authenticating server and responses from the client. The length and detail of the conversation depends on the EAP type.

EAP is designed to allow authentication plug-in modules at both the access client and authenticating server ends of a connection. By installing an EAP type library file on both of these ends, a new EAP type can be supported. An advantage to using EAP for authentication is that the access server does not have to be updated to support new EAP types.

Although EAP provides authentication flexibility, the entire EAP conversation might be sent as clear text (unencrypted). A malicious user with access to the media can inject packets into the conversation or capture the EAP messages from a successful authentication for analysis. This is especially problematic for wireless connections, where the malicious user can be located outside of your business. EAP occurs during the IEEE 802.1X authentication process, before wireless frames are encrypted with Wired Equivalent Privacy (WEP).

PEAP is an EAP type that addresses this security issue by first creating a secure channel that is both encrypted and integrity-protected with Transport Level Security (TLS). Then, a new EAP negotiation with another EAP type occurs, authenticating the network access attempt of the client. Because the TLS channel protects EAP negotiation and authentication for the network access attempt, password-based authentication protocols that are normally susceptible to an offline dictionary attack can be used for authentication in wireless environments.

MS-CHAP v2 Overview

MS-CHAP v2 is a password-based, challenge-response, mutual authentication protocol that uses the industry-standard Message Digest 4 (MD4) and Data Encryption Standard (DES) algorithms to encrypt responses. The authenticating server challenges the access client and the access client challenges the authenticating server. If either challenge is not correctly answered, the connection is rejected. MS-CHAP v2 was originally designed by Microsoft as a PPP authentication protocol to provide better protection for dial-up and virtual private network (VPN) connections. With Windows XP SP1, Windows XP SP2, Windows Server 2003, and Windows 2000 SP4, MS-CHAP v2 is also an EAP type.

Although MS-CHAP v2 provides better protection than previous PPP-based challenge-response authentication protocols, it is still susceptible to an offline dictionary attack. A malicious user can capture a successful MS-CHAP v2 exchange and methodically guess passwords until the correct one is determined. Using the combination of PEAP with MS-CHAP v2, the MS-CHAP v2 exchange is protected with the strong security of the TLS channel.

PEAP with MS-CHAP v2 Operation

The PEAP authentication process occurs in two parts. The first part is the use of EAP and the PEAP EAP type to create an encrypted TLS channel. The second part is the use of EAP and a different EAP type to authenticate network access. This section examines PEAP with MS-CHAP v2 operation, using as an example, a wireless client that attempts to authenticate to a wireless access point (AP) that uses a RADIUS server for authentication and authorization.

PEAP Part 1-Creating the TLS Channel

The following steps are used to create the PEAP TLS channel:

  1. After creating the logical link, the wireless AP sends an EAP-Request/Identity message to the wireless client.
  2. The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client.
  3. The EAP-Response/Identity message is sent by the wireless AP to the RADIUS server. From this point on, the logical communication occurs between the RADIUS server and the wireless client, using the wireless AP as a pass-through device.
  4. The RADIUS server sends an EAP-Request/Start PEAP message to the wireless client.
  5. The wireless client and the RADIUS server exchange a series of TLS messages through which the cipher suite for the TLS channel is negotiated and the RADIUS server sends a certificate chain to the wireless client for authentication.

At the end of the PEAP negotiation, the RADIUS server has authenticated itself to the wireless client. Both nodes have determined mutual encryption and signing keys (using public key cryptography, not passwords) for the TLS channel.

PEAP Part 2-Authenticating With MS-CHAP v2

After the PEAP TLS channel is created, the following steps are used to authenticate the wireless client credentials with MS-CHAP v2:

  1. The RADIUS server sends an EAP-Request/Identity message.
  2. The wireless client responds with an EAP-Response/Identity message that contains the identity (user or computer name) of the wireless client.
  3. The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Challenge message that contains a challenge string.
  4. The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2 Response message that contains both the response to the RADIUS server challenge string and a challenge string for the RADIUS server.
  5. The RADIUS server sends an EAP-Request/EAP-MS-CHAP-V2 Success message, which indicates that the wireless client response was correct and contains the response to the wireless client challenge string.
  6. The wireless client responds with an EAP-Response/EAP-MS-CHAP-V2 Ack message, indicating that the RADIUS server response was correct.
  7. The RADIUS server sends an EAP-Success message.

At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge of the correct password (the response to the RADIUS server challenge string), and the RADIUS server has provided proof of knowledge of the correct password (the response to the wireless client challenge string). The entire exchange is encrypted through the TLS channel created in PEAP part 1.

PEAP Fast Reconnect

You can also use PEAP to quickly resume a TLS session. If PEAP Part 2 is successful, the RADIUS server can cache the TLS session created during PEAP Part 1. Because the cache entry was created through a successful PEAP Part 2 authentication process, the session can be resumed without having to perform PEAP Part 1 or PEAP Part 2. In this case, an EAP-Success message is sent immediately for a reauthentication attempt. This is known as fast reconnect. Fast reconnect minimizes the connection delay in wireless environments when a wireless client roams from one wireless AP to another.

PEAP Support in Windows

PEAP with MS-CHAP v2 is provided with Windows XP SP1, Windows XP SP2, and Windows 2000 SP4 as part of enhanced EAP and IEEE 802.1X support. This allows Windows XP SP1, Windows XP SP2, and Windows 2000 SP4 wireless clients to use PEAP with MS-CHAP v2 for secure wireless access—with passwords rather than certificates. The IAS networking component provided with Windows Server 2003 and Windows 2000 SP4 also supports PEAP with MS-CHAP v2, allowing an IAS server to authenticate wireless clients running Windows XP with SP1, Windows XP with SP2, or Windows 2000 with SP4.

PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the wireless clients. IAS servers must have a certificate installed in their Local Computer certificate store. Instead of deploying a PKI, you can purchase individual certificates from a third-party CA to install on your IAS servers. To ensure that wireless clients can validate the IAS server certificate chain, the root CA certificate of the CA that issued the IAS server certificates must be installed on each wireless client.

Windows XP includes the root CA certificates of many third-party CAs. If you purchase your IAS server certificates from a third-party CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. If you purchase your IAS server certificates from a third party CA for which Windows XP does not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client.

For More Information

For more information about PEAP and wireless support in Windows, consult the following resources:

  • IEEE 802.1X Authentication for Wireless Connections (April 2002 Cable Guy article)
  • IEEE 802.11b Wireless Networking Overview (March 2002 Cable Guy article)
  • Microsoft Wireless Networks Web site

For a list of all The Cable Guy articles, click here.