EAP-PEAP-MD5-Challenge ======================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PEAP-MD5-Challenge?** EAP-PEAP-MD5-Challenge stands for Extensible Authentication Protocol – Protected Extensible Authentication Protocol – MD5 Challenge. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PEAP-MD5-Challenge?** It is an authentication method where the MD5-Challenge mechanism is used inside a PEAP (Protected EAP) tunnel. The outer PEAP establishes a TLS tunnel, and the inner MD5-Challenge provides password-based authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PEAP-MD5-Challenge useful?** * Protects MD5-Challenge by encapsulating it inside a TLS tunnel. * Provides a basic password authentication method with additional security. * Useful in networks that need simple credential exchange but still want TLS protection. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * The supplicant and server establish a TLS tunnel using PEAP. * Inside the tunnel, the server sends an MD5 challenge. * The client responds with a hash of the challenge and its password. * The server validates this response with stored credentials. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PEAP-MD5-Challenge used?** * Enterprise Wi-Fi authentication. * VPN authentication via RADIUS. * Environments where password-only authentication is acceptable but requires TLS protection. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Works at the **Application Layer** (EAP/PEAP). * Relies on TLS (presentation/transport security) and uses RADIUS at transport level. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-MD5-Challenge Windows specific?** * No. It is supported on Windows but also available on other platforms with supplicant support. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-MD5-Challenge Linux specific?** * No. Works on Linux (e.g., wpa_supplicant + FreeRADIUS) and other OSes. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PEAP-MD5-Challenge?** * Uses **EAP over RADIUS**, which typically runs over **UDP (1812/1813)**. * TLS tunnel runs inside EAP messages. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PEAP-MD5-Challenge?** * RADIUS authentication: **UDP 1812**. * RADIUS accounting: **UDP 1813**. * (Legacy: 1645/1646). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-MD5-Challenge using Client-Server model?** * Yes. - Client (supplicant) ↔ Authenticator (AP/Switch) ↔ Authentication Server (RADIUS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-MD5-Challenge protocol uses certificates?** * Yes, **server certificates are mandatory** to set up the TLS tunnel. * The MD5 challenge-response happens inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PEAP-MD5-Challenge protocol?** * Initial EAPoL (Start/Identity). * TLS handshake messages. * MD5-Challenge/Response inside tunnel. * Success/Failure. * Around **6–10 exchanges**, depending on TLS handshake. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-MD5-Challenge Protocol uses client certificates?** * No. Client uses username + password. * Only server presents certificate for TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-MD5-Challenge Protocol uses Server Certificates?** * Yes. Required for TLS tunnel establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-MD5-Challenge Protocol dependent on TCP?** * Indirectly – TLS uses TCP when run outside RADIUS, but in Wi-Fi/RADIUS environments it mostly runs over UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-MD5-Challenge Protocol dependent on UDP?** * Yes. Typically carried in RADIUS messages over UDP (1812/1813). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PEAP-MD5-Challenge Protocol?** * **Supplicant (Client device)** – requests authentication. * **Authenticator (AP/Switch)** – forwards EAP messages. * **Authentication Server (RADIUS)** – validates MD5 challenge/response inside TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-MD5-Challenge Protocol work with FreeRADIUS server on Linux?** * Yes. FreeRADIUS supports PEAP with MD5-Challenge as an inner method. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-MD5-Challenge Protocol work with Internal RADIUS server of hostapd?** * Hostapd’s built-in RADIUS may have limited support. Usually external FreeRADIUS is used for PEAP-MD5. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-PEAP-MD5-Challenge Protocol?** * EAP: **RFC 3748**. * MD5-Challenge: **RFC 1994**. * PEAP itself: Internet-Draft (not IETF standardized). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPoL packets are encrypted?** * Outer EAPoL packets (Identity, Start, Success/Failure) are **not encrypted**. * Inner MD5-Challenge/Response is **encrypted inside TLS tunnel**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you explain different stages of Connection Procedure for EAP-PEAP-MD5-Challenge?** * **Stage 1:** EAPoL start/identity exchange. * **Stage 2:** TLS handshake to set up PEAP tunnel. * **Stage 3:** MD5 challenge/response inside TLS tunnel. * **Stage 4:** Server validates response. * **Stage 5:** Authentication Success → PMK derived. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * A Pairwise Master Key (PMK) is generated for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * PMK is a **256-bit (32-byte) key**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is the use of PMK generated by the Connection Procedure?** * PMK is used in the **4-way handshake** to derive PTK. * PTK encrypts unicast traffic and secures Wi-Fi communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PEAP_MD5_Challenge Version&IEEE Details ` * :ref:`EAP_PEAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_PEAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PEAP_MD5_Challenge Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_MD5_Challenge Protocol Packet Details ` * :ref:`EAP_PEAP_MD5_Challenge Usecases ` * :ref:`EAP_PEAP_MD5_Challenge Basic Features ` * :ref:`Reference links ` .. _EAP_PEAP_MD5_Challenge_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PEAP_MD5_Challenge_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PEAP_MD5_Challenge_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PEAP_MD5_Challenge_step5: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge Version&RFC Details * rfc details .. _EAP_PEAP_MD5_Challenge_step18: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_PEAP_MD5_Challenge_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_PEAP_MD5_Challenge/eap_peap_md5_freeradius_server.csv :class: tight-table .. _EAP_PEAP_MD5_Challenge_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PEAP_MD5_Challenge/eap_peap_md5_ap_hostapd.csv :class: tight-table .. _EAP_PEAP_MD5_Challenge_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_PEAP_MD5_Challenge/eap_peap_md5_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PEAP_MD5_Challenge` .. _EAP_PEAP_MD5_Challenge_step19: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PEAP_MD5_Challenge_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_MD5_Challenge_step6: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge Protocol Packet Details * packet details .. _EAP_PEAP_MD5_Challenge_step7: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge Usecases * usecases .. _EAP_PEAP_MD5_Challenge_step8: .. tab-set:: .. tab-item:: EAP_PEAP_MD5_Challenge Basic Features * features .. _EAP_PEAP_MD5_Challenge_step17: .. tab-set:: .. tab-item:: Reference links * Reference links