Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

EAP-PEAP Authentication Protocol

 

The EAP-PEAP (Protected EAP) protocol is similar to EAP-TTLS. Unlike EAP-TTLS, which can tunnel any kind of authentication request (such as PAP or CHAP) and extended attributes, PEAP can tunnel only other EAP protocols inside its connection.

EAP-PEAP works in two phases:

  • In Phase 1, the client authenticates the server and uses a TLS handshake to create an encrypted tunnel.

  • In Phase 2, the server authenticates the user or machine credentials using an EAP authentication protocol. The EAP authentication is protected by the encrypted tunnel created in Phase 1. The authentication type negotiated during Phase 2 can be any valid EAP type, such as MS-CHAPv2.

Configuring EAP-PEAP as an EAP Authentication Method

Configuring EAP-PEAP as an EAP Authentication Method

Note

A valid server certificate must be in place on the SBR Carrier server before you configure the EAP-PEAP authentication protocol. For information about configuring certificates, see Certificates.

To configure EAP-PEAP on a SBR Carrier server using the Web GUI:

  1. Select RADIUS Configuration > Authentication Policies > EAP Methods.

    The EAP Methods List page (Figure 92) appears.

  2. Select EAP-PEAP.

    The Selected EAP Method: EAP-PEAP pane (Figure 112) appears.

    Figure 112: Selected EAP Method: EAP-PEAP Pane
    Selected
EAP Method: EAP-PEAP Pane
  3. Select the Enable EAP-PEAP Method check box to enable the EAP-PEAP method.

    Note

    You can also enable the EAP-PEAP method by using the EAP Methods List page. In the EAP Methods List page, click the Status column of the EAP-PEAP entry, select the appeared check box, and click Apply.

  4. Configure request filters for the EAP-PEAP protocol. For more information about configuring request filters, see Configuring Request Filters—EAP-PEAP.

  5. Configure response filters for the EAP-PEAP protocol. For more information about configuring response filters, see Configuring Response Filters—EAP-PEAP.

  6. Configure session resumption for the EAP-PEAP protocol. For more information about configuring session resumption, see Configuring Session Resumption—EAP-PEAP.

  7. Configure inner authentication for the EAP-PEAP protocol. For more information about configuring inner authentication, see Configuring Inner Authentication Settings—EAP-PEAP.

  8. Configure advanced server settings for the EAP-PEAP protocol. For more information about configuring advanced server settings, see Configuring Advanced Server Settings—EAP-PEAP.

  9. Click Save to save the configuration.

Configuring Request Filters—EAP-PEAP

Configuring Request Filters—EAP-PEAP

Request filters affect the attributes of inner authentication requests. By default, SBR Carrier does not use request filters.

Note

You must configure filters using the Filters page before you can associate them with the EAP-PEAP authentication method. For information about configuring filters, refer to Setting Up Filters.

To configure request filtering for the EAP-PEAP protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-PEAP pane, click the Request Filters tab (Figure 113).
    Figure 113: EAP-PEAP—Request Filters
    EAP-PEAP—Request
Filters
  2. Optionally, select the Transfer Outer Attribs to New check box and select the filter you want to use from the Transfer Outer Attribs to New list.

    This filter affects only a new inner authentication request (rather than continuations of previous requests).

    • If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

    • If this filter is not specified, no attributes from the outer request are transferred to the inner request.

  3. Optionally, select the Transfer Outer Attribs to continue check box and select the filter you want to use from the Transfer Outer Attribs to continue list.

    This filter affects only a continued inner authentication request (rather than the first inner authentication request). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

    If this filter is not specified, no attributes from the outer request are transferred to the inner request.

  4. Optionally, select the Edit New check box and select the filter you want to use from the Edit New list.

    This filter affects only a new inner authentication request (rather than continuations of previous requests). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (by the filter specified in Step 2) and attributes included in the inner authentication request sent through the tunnel by the client.

    If this filter is not specified, the request remains unaltered.

  5. Optionally, select the Edit Continue check box and select the filter you want to use from the Edit Continue list.

    This filter affects only a continued inner authentication request (rather than a new inner authentication request). If this filter is specified, it is applied to the inner request that is the cumulative result of attributes transferred from the outer request (by the filter specified in Step 3) and attributes included in the inner authentication request sent through the tunnel by the client.

    If this filter is not specified, the request remains unaltered.

Configuring Response Filters—EAP-PEAP

Configuring Response Filters—EAP-PEAP

Response filters affect the attributes in the final response (Access-Accept or Access-Reject) returned to the originating NAD. By default, SBR Carrier does not use response filters.

To configure response filtering for the EAP-PEAP protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-PEAP pane, click the Response Filters tab (Figure 114).

    Figure 114: EAP-PEAP—Response Filters
    EAP-PEAP—Response
Filters
  2. Optionally, select the Transfer Inner Attribs to Accept check box and select the filter you want to use from the Transfer Inner Attribs to Accept list.

    This filter affects only an outer Access-Accept response that is sent back to a NAD.

    • If this filter is specified, the filter is applied to the inner authentication response and all resulting attributes are transferred to the outer authentication response.

    • If this filter is not specified, no inner authentication response attributes are transferred to the outer authentication response.

  3. Optionally, select the Transfer Inner Attribs to Reject check box and select the filter you want to use from the Transfer Inner Attribs to Reject list.

    This filter affects only a continued inner authentication request (rather than the first inner authentication request). If this filter is specified, all attributes from the outer request are transferred to the inner request and this filter is applied. The transfer occurs and the filter is applied before any attributes specified in the inner authentication are added to the request.

    If this filter is not specified, no attributes from the outer request are transferred to the inner request.

Configuring Session Resumption—EAP-PEAP

Configuring Session Resumption—EAP-PEAP

You use session resumption settings to specify whether session resumption is permitted and under what circumstances session resumption is performed.

Note

For session resumption to work, the NAD must be configured to handle the Session-Timeout return list attribute, so that the NAD can notify the client to reauthenticate after the session timer has expired.

To configure session resumption for the EAP-PEAP protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-PEAP pane, click the Session Resumption tab (Figure 115).

    Figure 115: EAP-PEAP—Session Resumption
    EAP-PEAP—Session
Resumption
  2. In the Session TImeout(In Seconds) field, enter the maximum number of seconds you want the client to remain connected to the NAD before having to reauthenticate.

    If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access-Accept response.

    If you enter 0, no Session-Limit attribute is generated. This does not prevent the authentication methods performing secondary authorization from providing a value for this attribute.

    Entering a value such as 600 seconds (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.

  3. Enter the value to be returned in a Termination-Action attribute in the Termination Action field.

    The Termination-Action attribute is a standard attribute supported by most access points and determines what happens when the session timeout is reached. Valid values are:

    • -1: Do not send the attribute; the default value. This does not prevent any authentication method that performs secondary authorization from providing a value for this attribute.

    • 0: Send the Termination-Action attribute with a value of 0.

    • 1: Send the Termination-Action attribute with a value of 1.

  4. Enter the maximum number of seconds you want the client to be able to reauthenticate using the TLS session resumption feature in the Resumption Limit(In Seconds) field.

    This type of reauthentication is fast and computationally efficient. It does, however, depend on previous authentications and is not as secure as a complete (computationally expensive) authentication. Specifying a value of 0 disables the session resumption feature.

    Best Practice

    Using the Resumption Limit Option Effectively

    Two scenarios where the resumption limit can be used effectively:

    • In a wireless environment, the client is moving between access points. The resumption limit can be tuned to make the handover between access points smoother by not forcing a complete reauthorization that requires repeated verification of user information.

      When the new access point queries SBR Carrier, the server replies that the session ID is already valid. Because it is known to be good, repeating the inner authentication is not required, which saves some time. The access point acknowledges the reauthorization not required message and the session continues.

    • Another use for resumption limit occurs when the server ordinarily requires the client to reauthorize every 10 minutes or so, to ensure the client is still connected. Setting the resumption limit to 3600 seconds with a session timeout of 600 seconds means that the interval reauthorizations are fast and efficient, and a complete reauthorization is required just once an hour instead of every 10 minutes.

Configuring Inner Authentication Settings—EAP-PEAP

Configuring Inner Authentication Settings—EAP-PEAP

Inner authentication settings let you specify the manner in which the inner authentication step operates.

To configure inner authentication settings for the EAP-PEAP protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-PEAP pane, click the Inner Authentication tab (Figure 116).

    Figure 116: EAP-PEAP—Inner Authentication
    EAP-PEAP—Inner
Authentication
  2. Optionally, enter the name of a directed realm in the Directed Realm field.

    Specifying the name of a directed realm causes the request to be routed based on the methods listed in the directed realm. Omitting this setting causes the inner authentication request to be handled like any other request received from a NAD.

  3. Optionally, enter the name of a realm selection script in the Realm Selection Script field.

    You must license the optional JavaScripting module to use realm selection scripts. For information about realm selection scripting, refer Creating Realm Selection Scripts.

Configuring Advanced Server Settings—EAP-PEAP

Configuring Advanced Server Settings—EAP-PEAP

You use advanced server settings to specify the manner in which the inner authentication step operates.

To configure advanced server settings for the EAP-PEAP protocol using the Web GUI:

  1. In the Selected EAP Method: EAP-PEAP pane, click the Advanced Server Settings tab (Figure 117).

    Figure 117: EAP-PEAP—Advanced Server Settings
    EAP-PEAP—Advanced
Server Settings
  2. In the TLS Message Fragment Length field, enter the maximum length of the TLS message that may be generated during each iteration of the TLS exchange.

    Enter a number in the range 500 through 4096 bytes. This value affects the number of RADIUS challenge/response round-trips required to conclude the TLS exchange. A value of 1400 bytes may result in 6 round-trips, while a value of 500 bytes may result in 15 round-trips.

    Some access points may have problems with RADIUS responses or EAP messages that exceed the size of one Ethernet frame (1500 bytes including IP/UDP headers).

    The default length for TLS messages is 1020 bytes, which prevents the RADIUS challenge response (carried in a UDP packet) from exceeding one Ethernet frame.

  3. In the Max Transaction Time field, enter the maximum number of seconds you want for the authentication sequence to complete.

    If the authentication sequence takes longer than this setting, user authentication is aborted.

  4. In the Challenge Timeout field, enter the number of seconds after which a challenge request times out.

    You can enter a value greater than or equal to 1 second, but this value must not exceed the value specified in the Max Transaction Time field. The default value is 30 seconds.

  5. Select the Return MPPE Keys check box to specify whether the EAP-PEAP module includes RADIUS MS-MPPE-Send-Key and MS-MPPE-Recv-Key attributes in the final RADIUS Access-Accept response sent to the access point.

    Select this check box if the access point needs to key the WEP encryption. If the access point is authenticating only end users and WEP is not being used, you can clear this check box.

  6. Use the TLS Protocol Version list to specify the TLS protocol version on which the server expects the client to initiate the handshake process.

    Valid values are TLSv1, TLSv1.1, and TLSv1.2.

  7. Use the DH Prime Bits list to specify the number of bits in the prime number that the module uses for Diffie-Hellman exponentiation.

    Selecting a longer prime number makes the system less susceptible to certain types of attacks but requires more CPU processing to compute the Diffie-Hellman key agreement operation.

    Valid values are 512, 1024, 1536, 2048, 3072, and 4096 bits.

  8. In the Cipher Suites field, enter the TLS cipher suites (in order of preference) that the server is to use.

    These cipher suites are documented in RFC 2246, The TLS Protocol Version 1, RFC 4346, The TLS Protocol Version 1.1, and RFC 5246, The TLS Protocol Version 1.2.

    Default value is 0x003C,0x003D,0x0067,0x006B,0x0039,0x0038,

    0x0033,0x0035,0x002F,0x000a,0x0005,0x0004,0x0007
    .

    See Table 36 for the list of tested cipher suites and their TLS protocol versions.

  9. In the PEAP Minimum Version field, enter the minimum version of the PEAP protocol that you want the server to negotiate.

    If you enter 0, the server negotiates version 0.

    If you enter 1, the server negotiates version 1.

    Note

    The value entered in this setting must be less than or equal to the value entered for the PEAP Maximum Version field.

  10. In the PEAP Maximum Version field, enter the maximum version of the PEAP protocol that you want the server to negotiate.

    If you enter 0, the server negotiates version 0.

    If you enter 1, the server negotiates version 1.

    Note

    The value entered in this setting must be equal to or greater than the value entered for the PEAP Minimum Version field.