July 14, 2002

The Register: MS to use PEAP in new wireless products

The Register reports that Microsoft may ship its newly announced home and office 802.11 gear with Protected Extensible Authentication Protocol (PEAP) support in order to provide secure authenticated access over the wireless connection. PEAP is a form of EAP negotiation that essentially wraps TLS (aka SSL) around an otherwise unencrypted EAP session. Microsoft also has posted its July "Cable Guy" article, entitled "PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access" which goes into more depth on how PEAP works and how to integrate it into a current Windows crypto infrastructure.

So, a few comments: First of all, this does solve a significant problem present today with 802.11 wireless communication, that of performing authentication in a secured fashion, even over an insecure channel. There are a few problems - first of all, each access point must now have a TLS certificate, which is fine if you're VeriSign or if you're shelling out the dough for Microsoft's CA implementation across your organization. Second, it means that the APs need to have the ability to handle multiple TLS sessions at one time, which means significantly more CPU horsepower than is currently associated (sorry, bad pun) with the APs out there. Lastly, it implies that you have PEAP support on the client, which is fine if you're running Windows XP SP1 (rumored to have a PEAP client incluided in its upcoming release) but is not so good if you're using a more commodity device.

Let's call this a step in the right direction, but still way too complicated for any but the most technically astute geeks. Posted by dsifry at July 14, 2002 10:23 PM | View blog reactions

Comments

Actually its the authentication server
not the AP that would need a certificate.
Presumably, several APs can be authenticated
by a single AAA server with a single cert.

Posted by: Christian at August 26, 2002 9:56 AM

PEAP works basically the same as TTLS. The authentication server, not the AP, has a certificate so that client can verify its identity and use the certificate to encrypt the EAP session when providing the username/password used to allow the client access to the network.

Posted by: Shannon at August 30, 2002 9:40 AM

Perhaps Microsoft will distribute a patch for predated OS which will install the certificate on the client end. Companies using TTLS are making a packet (no pun intended) forcing hosts to either bear the cost of the client certificate or the host has to pass that cost onto the client. It's just too much trouble to go to, and each radius brand will have a different certificate. At least with Microsoft there will be a standard.

Posted by: Rod Lawson at September 25, 2002 9:46 PM