The Register: MS to use PEAP in new wireless products

3
Posted by David Sifry on July 14, 2002 at 10:23 pm

The Register reports
that Microsoft may ship its newly announced home and office 802.11 gear
with Protected Extensible Authentication Protocol (PEAP) support in
order to provide secure authenticated access over the wireless
connection. PEAP is a form of EAP negotiation that essentially wraps
TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft
also has posted its July “Cable Guy” article, entitled “PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access” which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.

So, a few comments: First of all, this does solve a significant problem present today
with 802.11 wireless communication, that of performing authentication in a
secured fashion, even over an insecure channel. There are a few
problems – first of all, each access point must now have a TLS
certificate, which is fine if you’re VeriSign or
if you’re shelling out the dough for Microsoft’s CA implementation
across your organization. Second, it means that the APs need to have
the ability to handle multiple TLS sessions at one time, which means
significantly more CPU horsepower than is currently associated (sorry,
bad pun) with the APs out there. Lastly, it implies that you have PEAP
support on the client, which is fine if you’re running Windows XP SP1
(rumored to have a PEAP client incluided in its upcoming release) but is not so good if you’re
using a more commodity device.

Let’s call this a step in the right direction, but still way too complicated for any but the most technically astute geeks.

Share

Related posts:

  1. Update on PEAP and musings on Microsoft’s 802.11 strategy
  2. Microsoft stumbles with its first WiFi products
  3. IBM announces new Distributed Wireless Security Auditor
  4. Building Community Wireless Networks Slides
  5. Computer Security, Bruce Schneier, wireless networks

Both comments and pings are currently closed.

Posted in: Uncategorized

This article has 3 comments

  1. Christian 08/26/2002, 9:56 am:

    Actually its the authentication server
    not the AP that would need a certificate.
    Presumably, several APs can be authenticated
    by a single AAA server with a single cert.

  2. Shannon 08/30/2002, 9:40 am:

    PEAP works basically the same as TTLS. The authentication server, not the AP, has a certificate so that client can verify its identity and use the certificate to encrypt the EAP session when providing the username/password used to allow the client access to the network.

  3. Rod Lawson 09/25/2002, 9:46 pm:

    Perhaps Microsoft will distribute a patch for predated OS which will install the certificate on the client end. Companies using TTLS are making a packet (no pun intended) forcing hosts to either bear the cost of the client certificate or the host has to pass that cost onto the client. It’s just too much trouble to go to, and each radius brand will have a different certificate. At least with Microsoft there will be a standard.

Across the Web

  • Facebook
  • Twitter
  • Flickr
  • Youtube

Twitter

Javascript needs to be installed to view the twitterfeed. Get Javacript

Follow Me on Twitter

Blogroll

Personal