A Tour of the EAP-PEAP-MSCHAPv2 Ladder

This section contains the following information:

About EAP-PEAP MSCHAPv2

EAP-PEAP MSCHAPv2 Handshake Exchange Summary

About EAP-PEAP MSCHAPv2

The authenticated wireless access design based on Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAPv2) utilizes the user account credentials (user name and password) stored in Active Directory Domain Services to authenticate wireless access clients, instead of using smart cards or user and computer certificates for client authentication.

EAP-PEAP MSCHAPv2 Handshake Exchange Summary

Table 1 describes how a typical 802.1X authentication session flows when using ClearPass as the authentication server with Microsoft Active Directory as the back-end user identity repository.

The term supplicant refers to a client device, such as a laptop, tablet, or mobile phone requesting access to a network.

The term authenticator refers to a network device, such as an Aruba Mobility Controller or an Instant Access Point (AP), which controls access to a network resource.

The term authentication server refers to the ClearPass Policy Manager server, which processes the authentication requests and provides either an accept or reject response.

Each section of Table 1 is followed by a diagram that illustrates the communication steps between the devices described in the table. The numbers of each step in the table correspond to the numbers assigned to the handshake sequences in the accompanying illustrations.

Table 1: Detailed Sequence of the EAP-PEAP-Active Directory Handshake Exchange

 

Extensible Authentication Protocol over LAN (EAPOL) Start

 

1

The authenticator sends an EAP-Request for the identity of the connecting supplicant (client device).

2

The supplicant responds to the authenticator with an EAP Identity Response that contains the identity (username) used for authentication. This is referred to as the "Outer Identity."

3

The authenticator forwards the EAP Identity Response with the identity of the user to the authentication server (ClearPass Policy Manager).

 

 

Active Directory

 

4

The authentication server performs an LDAP lookup against its configured Active Directory authentication sources to try to find the user's name in the directory, along with some basic LDAP attributes, such as sAMAccountName.

5

The LDAP server responds to the authentication server's LDAP search request with the appropriate answers to the LDAP lookup.

 

 

EAPOL

 

6

 

The authentication server responds to the supplicant through the authenticator with an EAP-Request message indicating that it would like to initiate EAP-PEAP.

7

The authenticator passes the EAP-Request message to the supplicant.

 

 

Transport Layer Security (TLS) Tunnel Setup

 

8

The supplicant sends a Transport Layer Security (TLS) "Client Hello" message within an EAP-response message through the authenticator to the authentication server.

9

The authenticator passes the EAP-Response message containing the TLS Client Hello message to the authentication server.

10

The authentication server responds with a TLS Handshake message of types "Server Hello," "Certificate," "Server Key Exchange," and "Server Hello Done" to the authenticator.

11

The authenticator forwards the TLS handshake messages between the authentication server and the supplicant inside of EAP Request (server) and EAP Response (supplicant) messages.

12

Steps 10 and 11 repeat until the authentication server has transmitted all of its handshake messages. This may take several steps due to having to dismantle the certificates into fragments that fit within the size limits of an EAP message.

13

The supplicant sends another TLS Handshake message inside an EAP-Response message of types "Client Key Exchange," "Change Cipher Spec," "Handshake," and "Client Finished" to the authenticator.

14

The authenticator sends this EAP-Response to the authentication server.

14

The authentication server responds to the authenticator with an EAP-Request for the supplicant that contains the message types "Change Cipher Spec" and "Server Finished."

16

The authenticator passes the EAP message to the supplicant.

17

The supplicant sends an EAP-Response for the authentication server to the authenticator.

18

The authenticator sends the EAP-Response to the authentication server.

 

 

Inner EAP MSCHAPv2

 

19

Inside the TLS tunnel, the EAP process starts again with the authentication server sending an EAP Identity Request to the supplicant requesting the client's identity.

20

The authenticator sends the EAP Identity Request message to the supplicant requesting the client's identity.

21

The supplicant responds with an EAP Identity Response containing its identity to the authenticator.

22

The authenticator forwards this EAP Identity Response to the authentication server.

 

 

Active Directory

 

23

The authentication server performs an LDAP lookup against its configured Active Directory authentication sources to try to find the user's name in the directory, along with some basic LDAP attributes, such as sAMAccountName.

24

The LDAP server responds to the LDAP search request with the appropriate answers to the query.

 

 

Inner EAP MSCHAPv2

 

25

The authentication server sends an EAP request to the supplicant containing an MS-CHAPv2 challenge.

26

The authenticator forwards the EAP request to the supplicant.

27

The supplicant responds with an EAP Identity Response containing its identity to the authenticator.

28

The authenticator forwards this EAP Identity Response to the authentication server.

 

 

Active Directory

 

29

The authentication server takes the username and the MSCHAPv2 response from the supplicant and combines it with the MSCHAPv2 challenge and the NetBIOS name of the Active Directory domain and submits this set of information to the Active Directory domain controller for authentication. This is done via NT LAN Manager (NTLM).

30

The Active Directory domain controller lets the authentication server know that the authentication was successful.

 

Inner EAP MSCHAPv2

 

31

The authentication server sends an EAP-Request message for the supplicant with an MSCHAPv2 success message and an authenticator response string from the Active Directory Domain Controller to the authenticator.

32

The authenticator passes the EAP-Request with an MSCHAPv2 success message and the authenticator response to the supplicant.

33

The supplicant sends an EAP-Response message for the authentication server with an MSCHAPv2 success message to the authenticator.

34

The authenticator sends the EAP-Response message from the supplicant with the MSCHAPv2 success message to the authentication server.

35

The authentication server sends an EAP-Request message to the authenticator indicating that the Inner EAP method was successful.

36

The authenticator forwards this EAP-Request to the supplicant.

37

 

The supplicant sends an EAP-Response to the authentication server, acknowledging that the Inner EAP method was successful.

38

The authenticator forwards the EAP-Response from the the supplicant to the authentication server.

 

 

 

EAPOL

 

39

The authentication server sends a RADIUS access-accept message to the authenticator with an EAPOL success message along with the key material.

40

The authenticator sends an EAPOL success message to the supplicant.

41

The authenticator and supplicant complete a four-way handshake to start the flow of encrypted wireless traffic.