EAP-PEAP-GTC ============= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PEAP-GTC?** EAP-PEAP-GTC stands for Extensible Authentication Protocol – Protected Extensible Authentication Protocol – Generic Token Card. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PEAP-GTC?** It is an authentication method that encapsulates Generic Token Card (GTC) authentication inside a secure TLS tunnel provided by PEAP (Protected EAP). It is mainly used for secure identity verification in enterprise wireless and VPN networks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PEAP-GTC useful?** * Provides secure authentication over untrusted networks. * Encapsulates credentials in a TLS tunnel, preventing eavesdropping. * Supports token-based and password-based authentication. * Works in enterprise WLAN environments with RADIUS servers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * A TLS tunnel is created between client and authentication server using PEAP. * Inside this tunnel, GTC exchanges user credentials (passwords or tokens). * Server validates credentials with a backend authentication system (like RADIUS). * If valid, mutual authentication completes and encryption keys are derived. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PEAP-GTC used?** * Enterprise Wi-Fi authentication (WPA2/WPA3-Enterprise). * VPN authentication with RADIUS backend. * Corporate and government secure networks. * Environments requiring token card or password-based identity verification. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Primarily operates at the **Application Layer**. * Relies on TLS (Transport Layer Security) for encryption. * Uses transport protocols (TCP/UDP) at lower layers for message delivery. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-GTC Windows specific?** * No. Supported on Windows but not limited to it. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-GTC Linux specific?** * No. It is supported across multiple platforms including Linux, Windows, and mobile OS with supplicant support. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PEAP-GTC?** * Uses **EAP over RADIUS**, typically carried over **UDP** (ports 1812/1813). * TLS runs inside EAP to protect credentials. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PEAP-GTC?** * RADIUS: **UDP 1812 (authentication), UDP 1813 (accounting)**. * Older systems may use **UDP 1645/1646**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-GTC using Client-Server model?** * Yes. - Client (supplicant) ↔ Authenticator (AP/Switch) ↔ Authentication Server (RADIUS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-GTC protocol uses certificates?** * Yes. Server certificates are mandatory to establish the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PEAP-GTC protocol?** * Multiple exchanges: - EAPOL-Start / EAP-Request / Identity. - TLS handshake frames. - GTC credential exchange inside TLS tunnel. - Success/Failure frames. * Typically **6–10 round trips** depending on handshake complexity. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-GTC Protocol uses client certificates?** * No. Generally only server certificates are required. * Client authenticates with username/password or token inside TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-GTC Protocol uses Server Certificates?** * Yes. Server certificate is essential to create the TLS tunnel and prove server identity. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-GTC Protocol dependent on TCP?** * Indirectly, yes – TLS typically uses TCP transport when carried over RADIUS over TCP or in tunneled environments. * However, with RADIUS it usually uses **UDP**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-GTC Protocol dependent on UDP?** * Yes. Standard RADIUS messages carrying EAP use **UDP ports 1812/1813**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PEAP-GTC Protocol?** * **Supplicant (Client device)** – requests access. * **Authenticator (AP/Switch)** – passes EAP messages. * **Authentication Server (RADIUS)** – validates credentials inside TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-GTC Protocol work with freeRADIUS server on Linux?** * Yes. FreeRADIUS supports PEAP with GTC as an inner method. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-GTC Protocol work with Internal RADIUS server of hostapd?** * Limited support. Hostapd’s built-in RADIUS server may not fully support PEAP-GTC; usually external FreeRADIUS is used. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-PEAP-GTC Protocol?** * PEAP itself is not an IETF standard RFC but an Internet Draft (Microsoft, Cisco, RSA). * EAP is defined in **RFC 3748**. * GTC is defined in **RFC 3748 (Section 5.8)**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPoL packets are encrypted?** * The packets inside the **TLS tunnel** are encrypted (credential exchange). * Outer EAPoL frames (Identity, Start, Success/Failure) are not encrypted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you explain different stages of Connection Procedure for EAP-PEAP-GTC?** * **Stage 1:** EAPoL exchange (Start, Identity). * **Stage 2:** TLS handshake to set up secure tunnel. * **Stage 3:** GTC credentials sent inside TLS tunnel. * **Stage 4:** Authentication server validates credentials. * **Stage 5:** Success message sent, PMK generated. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * A Pairwise Master Key (PMK) is derived and passed to the authenticator (AP). * This key is later used to derive PTK for data encryption in Wi-Fi. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * PMK is a **256-bit (32-byte) key**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** * PMK is used in the **4-way handshake** to derive PTK (Pairwise Transient Key). * PTK is then used for encrypting user data over the secure Wi-Fi link. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PEAP_GTC Version&IEEE Details ` * :ref:`EAP_PEAP_GTC FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_PEAP_GTC FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PEAP_GTC Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_GTC Protocol Packet Details ` * :ref:`EAP_PEAP_GTC Usecases ` * :ref:`EAP_PEAP_GTC Basic Features ` * :ref:`Reference links ` .. _EAP_PEAP_GTC_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PEAP_GTC_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PEAP_GTC_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PEAP_GTC_step5: .. tab-set:: .. tab-item:: EAP_PEAP_GTC Version&RFC Details * rfc details .. _EAP_PEAP_GTC_step18: .. tab-set:: .. tab-item:: EAP_PEAP_GTC FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_PEAP_GTC_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_PEAP_GTC/eap_peap_gtc_freeradius_server.csv :class: tight-table .. _EAP_PEAP_GTC_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PEAP_GTC/eap_peap_gtc_ap_hostapd.csv :class: tight-table .. _EAP_PEAP_GTC_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_PEAP_GTC/eap_peap_gtc_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PEAP_GTC` .. _EAP_PEAP_GTC_step19: .. tab-set:: .. tab-item:: EAP_PEAP_GTC FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PEAP_GTC_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_GTC_step6: .. tab-set:: .. tab-item:: EAP_PEAP_GTC Protocol Packet Details * packet details .. _EAP_PEAP_GTC_step7: .. tab-set:: .. tab-item:: EAP_PEAP_GTC Usecases * usecases .. _EAP_PEAP_GTC_step8: .. tab-set:: .. tab-item:: EAP_PEAP_GTC Basic Features * features .. _EAP_PEAP_GTC_step17: .. tab-set:: .. tab-item:: Reference links * Reference links