Configuring PEAP for MAC RADIUS Authentication
Extensible Authentication Protocol (EAP) is an extensible protocol that provides support for multiple authentication methods, including password-based authentication methods and more secure certificate-based authentication methods. EAP facilitates the negotiation between the authenticator, or switching device, and the authentication server, to determine which authentication method to use for a supplicant. The default authentication method used for MAC RADIUS authentication is EAP-MD5, in which the server sends the client a random challenge value, and the client proves its identity by hashing the challenge and its password with MD5. Because EAP-MD5 only provides for client authentication and not for server authentication, it can be vulnerable to spoofing attacks.
You can configure the Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, to address the security vulnerabilities of EAP-MD5. PEAP is a protocol that encapsulates EAP packets within an encrypted and authenticated Transport Layer Security (TLS) tunnel. PEAP is referred to as the outer authentication protocol because it sets up the tunnel and is not directly involved with authenticating the endpoints. The inner authentication protocol, used to authenticate the client’s MAC address inside the tunnel, is Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2). The encrypted exchange of information inside the tunnel ensures that user credentials are safe from eavesdropping.
One of the advantages of PEAP, when used with MS-CHAPv2, is that it requires only a server-side certificate to establish the secure tunnel, and uses server-side public key certificates to authenticate the server. This eliminates the overhead involved in deploying digital certificates for every client that requires authentication.
Once a client has been authenticated on the switch using MAC RADIUS authentication, subsequent clients can use the same outer tunnel that was established by the first client to communicate with the server. This is achieved using the session resumption functionality provided by SSL. Session resumption reduces latency that can occur as subsequent clients wait for a new TLS tunnel to be established.
Before you configure the PEAP authentication protocol for MAC RADIUS authentication, make sure that the authentication server is also configured to use PEAP with MS-CHAPv2 as the inner authentication protocol. For information about configuring the authentication server, consult the documentation for your server.
To configure the PEAP authentication protocol for MAC RADIUS authentication:
- Configure the eap-peap option for the authentication protocol statement:
user@switch# set protocols dot1x authenticator interface interface-name mac-radius authentication-protocol eap-peap
- (Optional) Enable session resumption to allow for faster
authentication of subsequent clients:
user@switch# set protocols dot1x authenticator interface interface-name mac-radius authentication-protocol eap-peap resume
- Load the server-side SSL certificate using either the
filename or path.
To load the certificate using the file name:
user@root# run load ssl-certificate file certificate-name
To load the certificate using the file path:
user@root# run load ssl-certificate path certificate-path
To verify the certificates:
user@root# run show ssl-certificates
The authentication protocol can be configured globally using the interface all option as well as locally using the individual interface name. If the authentication protocol is configured both for an individual interface and for all interfaces, the local configuration for that interface overrides the global configuration.