EAP-MSCHAPv2 ============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-MSCHAPv2?** **EAP-MSCHAPv2** stands for **Extensible Authentication Protocol - Microsoft Challenge Handshake Authentication Protocol version 2**. It is a two-way authentication protocol commonly used for wireless networking and Virtual Private Networks (VPNs). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-MSCHAPv2?** EAP-MSCHAPv2 is an authentication protocol that allows mutual authentication between the client and the server. It is used in EAP to provide secure authentication, using a challenge-response method to verify the client and server identities. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-MSCHAPv2 useful?** * Provides secure mutual authentication between client and server. * Widely used in enterprise Wi-Fi (WPA2 Enterprise) and VPN systems. * Prevents replay attacks through challenge-response encryption. * Ensures confidentiality during the authentication process by hashing sensitive information. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. The client sends an authentication request to the server. 2. The server responds with a challenge (a random number). 3. The client hashes the challenge with its password and sends the hash back to the server. 4. The server checks if the hash is correct and authenticates the client if it matches. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-MSCHAPv2 used?** * **WPA2 Enterprise** for secure Wi-Fi authentication. * **VPNs** for secure remote access. * **RADIUS-based authentication** in enterprise networks. * **Windows authentication systems** for client verification. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * EAP-MSCHAPv2 operates at the **Application Layer (Layer 7)** of the OSI model. * It uses transport layers (TCP/UDP) for data transfer but operates at a higher level to perform authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-MSCHAPv2 Windows specific?** No, EAP-MSCHAPv2 is **not Windows-specific**. It is supported across multiple platforms, including Linux, macOS, and other operating systems, for use in wireless and VPN authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-MSCHAPv2 Linux Specific?** No, EAP-MSCHAPv2 is **not Linux-specific**. It is cross-platform and supported by Windows, Linux, macOS, and other operating systems. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-MSCHAPv2?** EAP-MSCHAPv2 typically uses **UDP** as the transport protocol, especially when integrated with **RADIUS** for authentication purposes. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-MSCHAPv2?** EAP-MSCHAPv2, when used with RADIUS, typically operates on **UDP port 1812** for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-MSCHAPv2 using Client-server model?** Yes, EAP-MSCHAPv2 operates in a **client-server model**, where the client sends authentication requests to a server (typically a RADIUS server) for verification. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 protocol use certificates?** No, EAP-MSCHAPv2 does not rely on **certificates**. It uses a password-based challenge-response mechanism for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-MSCHAPv2 protocol?** There are **four** frame exchanges during the connection procedure: 1. The client sends an authentication request. 2. The server issues a challenge to the client. 3. The client responds with a hashed response. 4. The server verifies the response and completes authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol use client certificates?** No, EAP-MSCHAPv2 does **not use client certificates**. Authentication is based on password hashing and challenge-response. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol use Server Certificates?** No, EAP-MSCHAPv2 does **not use server certificates**. It relies on challenge-response mechanisms instead. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol depend on TCP?** No, EAP-MSCHAPv2 typically operates over **UDP**, particularly when used with RADIUS for authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol depend on UDP?** Yes, EAP-MSCHAPv2 generally operates over **UDP**, especially when integrated with RADIUS authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-MSCHAPv2 Protocol?** - **Client**: Initiates the authentication request and responds to challenges. - **Server**: Sends challenges, verifies responses, and authenticates the client. - **Administrator**: Configures the RADIUS server and manages user authentication policies. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol work with FreeRADIUS server on Linux?** Yes, **EAP-MSCHAPv2** is fully supported by **FreeRADIUS** on Linux and is commonly used for secure wireless and VPN authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-MSCHAPv2 Protocol work with Internal RADIUS server of hostapd?** Yes, **EAP-MSCHAPv2** can work with the **internal RADIUS server** of **hostapd** for wireless network authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-MSCHAPv2 Protocol?** EAP-MSCHAPv2 is defined in **RFC 2759** (Microsoft Challenge Handshake Authentication Protocol Version 2). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAP packets are encrypted?** The **challenge-response packets** are encrypted in EAP-MSCHAPv2. This ensures that the authentication process is secure even if the communication is intercepted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you explain the different stages of Connection Procedure for EAP-MSCHAPv2 Protocol?** 1. **Authentication Request**: The client sends an EAP authentication request to the server. 2. **Challenge**: The server responds with a challenge (random number). 3. **Response**: The client computes a hash of the challenge and its password and sends it to the server. 4. **Verification**: The server verifies the response and authenticates the client if the response is correct. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** The final output is a successful or failed **authentication** of the client based on whether the server's verification of the response is correct. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** After the connection procedure, the **Pairwise Master Key (PMK)** is generated. This key is used for encrypting data in the wireless network. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** The **Pairwise Master Key (PMK)** generated during authentication is used for encrypting the data traffic between the client and the server, ensuring secure communication during the session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_MSCHAPv2 Version&IEEE Details ` * :ref:`EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_MSCHAPv2 Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_MSCHAPv2 Protocol Packet Details ` * :ref:`EAP_MSCHAPv2 Usecases ` * :ref:`EAP_MSCHAPv2 Basic Features ` * :ref:`Reference links ` .. _EAP_MSCHAPv2_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_MSCHAPv2_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_MSCHAPv2_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_MSCHAPv2_step5: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 Version&RFC Details * rfc details .. _EAP_MSCHAPv2_step18: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_MSCHAPv2_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_MSCHAPv2/eap_mschapv2_freeradius_server.csv :class: tight-table .. _EAP_MSCHAPv2_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_MSCHAPv2/eap_mschapv2_ap_hostapd.csv :class: tight-table .. _EAP_MSCHAPv2_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_MSCHAPv2/eap_mschapv2_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_MSCHAPv2` .. _EAP_MSCHAPv2_step19: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_MSCHAPv2_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_MSCHAPv2_step6: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 Protocol Packet Details * packet details .. _EAP_MSCHAPv2_step7: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 Usecases * usecases .. _EAP_MSCHAPv2_step8: .. tab-set:: .. tab-item:: EAP_MSCHAPv2 Basic Features * features .. _EAP_MSCHAPv2_step17: .. tab-set:: .. tab-item:: Reference links * Reference links