EAP-PEAP-MSCHAPv2 =================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What is Expansion of EAP-PEAP-MSCHAPv2?** Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What is EAP-PEAP-MSCHAPv2?** - An authentication method used in wireless and VPN security. - It encapsulates EAP inside a TLS tunnel (PEAP). - Uses MSCHAPv2 for inner authentication of the user’s credentials. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Why is EAP-PEAP-MSCHAPv2 useful?** - Provides mutual authentication. - Protects user credentials inside an encrypted TLS tunnel. - Widely supported on Windows and Linux. - Easy to deploy without requiring client certificates. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **How it works?** - Outer TLS tunnel established between client and server (PEAP). - Inner authentication performed using MSCHAPv2. - Server validates username and password via RADIUS/AD. - A PMK (Pairwise Master Key) is generated for secure communication. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Where is EAP-PEAP-MSCHAPv2 used?** - Enterprise Wi-Fi networks (802.1X). - VPN authentication. - Corporate environments integrated with Active Directory. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Which OSI layer does this protocol belong to?** - Data Link Layer (Layer 2) as part of 802.1X authentication. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Is EAP-PEAP-MSCHAPv2 Windows specific?** - No, but it is **natively supported in Windows**. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Is EAP-PEAP-MSCHAPv2 Linux specific?** - No, but it is supported through tools like `wpa_supplicant`. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Which Transport Protocol is used by EAP-PEAP-MSCHAPv2?** - Uses **EAP over LAN (EAPoL)** for client ↔ authenticator. - Uses **RADIUS over UDP** for authenticator ↔ server. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Which Port is used by EAP-PEAP-MSCHAPv2?** - UDP 1812 (authentication). - UDP 1813 (accounting). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Is EAP-PEAP-MSCHAPv2 using Client server model?** - Yes, Client ↔ Authenticator ↔ Authentication Server (RADIUS). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Whether EAP-PEAP-MSCHAPv2 protocol uses certificates?** - Yes, **server-side certificate is mandatory** to establish TLS tunnel. - Client certificates are **optional**. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **How many frame exchanges are seen during connection for EAP-PEAP-MSCHAPv2 protocol?** - Multiple EAPOL messages (Request, Response, TLS handshake packets). - Typically 8–12 messages depending on negotiation. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Whether EAP-PEAP-MSCHAPv2 Protocol uses client certificates?** - Usually **No** (not required). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Whether EAP-PEAP-MSCHAPv2 Protocol uses Server Certificates?** - **Yes**, mandatory for TLS tunnel establishment. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Is EAP-PEAP-MSCHAPv2 Protocol dependent on TCP?** - No, it relies on **EAPoL and UDP (RADIUS)**. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Is EAP-PEAP-MSCHAPv2 Protocol dependent on UDP?** - Yes, for RADIUS communication. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What are the roles involved when testing EAP-PEAP-MSCHAPv2 Protocol?** - **Supplicant (Client device)** - **Authenticator (AP or Switch)** - **Authentication Server (RADIUS/AD)** .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Does EAP-PEAP-MSCHAPv2 Protocol work with FreeRADIUS server on Linux?** - Yes, fully supported. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Does EAP-PEAP-MSCHAPv2 Protocol work with internal RADIUS server of hostapd?** - Yes, with proper configuration. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What is the RFC version used for EAP-PEAP-MSCHAPv2 Protocol?** - PEAP is defined in **RFC 4851** (experimental). - MSCHAPv2 details are from Microsoft documentation (not RFC-standardized). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **During Connection Procedure which EAPoL Packets are encrypted?** - Packets inside the PEAP tunnel (inner authentication messages). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Can you Explain different stages of Connection Procedure for EAP-PEAP-MSCHAPv2?** - **Stage 1:** EAPOL Start and Identity exchange. - **Stage 2:** TLS tunnel setup using server certificate. - **Stage 3:** MSCHAPv2 challenge/response inside TLS tunnel. - **Stage 4:** Server validates credentials via RADIUS/AD. - **Stage 5:** PMK generated and shared with authenticator. - **Stage 6:** 4-way handshake to derive session keys. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What is the final output of Connection Procedure?** - PMK and PTK (session keys) established for secure communication. .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **What is the format of the key generated after the connection procedure?** - 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-2 :column: col-lg-12 p-2 :card: shadow-sm **Where is the use of PMK generated by the Connection Procedure?** - Used in the **4-way WPA2 handshake** to derive session encryption keys (PTK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PEAP_MSCHAPv2 Version&IEEE Details ` * :ref:`EAP_PEAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_PEAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PEAP_MSCHAPv2 Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_MSCHAPv2 Protocol Packet Details ` * :ref:`EAP_PEAP_MSCHAPv2 Usecases ` * :ref:`EAP_PEAP_MSCHAPv2 Basic Features ` * :ref:`Reference links ` .. _EAP_PEAP_MSCHAPv2_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PEAP_MSCHAPv2_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PEAP_MSCHAPv2_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PEAP_MSCHAPv2_step5: .. tab-set:: .. tab-item:: EAP_PEAP_MSCHAPv2 Version&RFC Details * rfc details .. _EAP_PEAP_MSCHAPv2_step18: .. tab-set:: .. tab-item:: EAP_PEAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_PEAP_MSCHAPv2_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_PEAP_MSCHAPv2/eap_peap_mschapv2_freeradius_server.csv :class: tight-table .. _EAP_PEAP_MSCHAPv2_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PEAP_MSCHAPv2/eap_peap_mschapv2_ap_hostapd.csv :class: tight-table .. _EAP_PEAP_MSCHAPv2_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_PEAP_MSCHAPv2/eap_peap_mschapv2_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PEAP_MSCHAPv2` .. _EAP_PEAP_MSCHAPv2_step19: .. tab-set:: .. tab-item:: EAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PEAP_MSCHAPv2_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_MSCHAPv2_step6: .. tab-set:: .. tab-item:: EAP_PEAP_MSCHAPv2 Protocol Packet Details * packet details .. _EAP_PEAP_MSCHAPv2_step7: .. tab-set:: .. tab-item:: EAP_PEAP_MSCHAPv2 Usecases * usecases .. _EAP_PEAP_MSCHAPv2_step8: .. tab-set:: .. tab-item:: EAP_PEAP_MSCHAPv2 Basic Features * features .. _EAP_PEAP_MSCHAPv2_step17: .. tab-set:: .. tab-item:: Reference links * Reference links