EAP-PEAP-TLS =============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-PEAP-TLS?** EAP-PEAP-TLS stands for *Extensible Authentication Protocol - Protected Extensible Authentication Protocol - Transport Layer Security*. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-PEAP-TLS?** EAP-PEAP-TLS is an EAP authentication method that uses a secure TLS tunnel to protect authentication data. It combines PEAP (which establishes the TLS tunnel) with TLS-based client authentication inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-PEAP-TLS useful?** * Provides strong mutual authentication and encryption. * Protects user credentials inside a secure tunnel. * Suitable for enterprise wireless and wired network access. * Resistant to replay and man-in-the-middle attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * A TLS tunnel is established between the client and the authentication server using the server certificate. * Client authenticates using TLS (usually via client certificate). * Inside the tunnel, credentials are exchanged and verified. * On success, a shared Master Key (MSK) is derived. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-PEAP-TLS used?** * Enterprise Wi-Fi networks (e.g., WPA2-Enterprise, WPA3-Enterprise). * 802.1X wired network authentication. * Scenarios requiring strong certificate-based security. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Operates at the Application Layer (Layer 7). * Uses lower layers (like TLS over TCP/IP) for transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PEAP-TLS Windows specific?** * No, it is not Windows-specific. * Supported across multiple platforms like Windows, Linux, macOS, and mobile OSes. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PEAP-TLS Linux Specific?** * No, it is not Linux-specific. * Supported on various OS platforms that support EAP and TLS libraries. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-PEAP-TLS?** * Uses TLS over TCP for transport. * Encapsulated within EAP over LAN (EAPOL) or RADIUS for backend transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-PEAP-TLS?** * Uses RADIUS server ports: * UDP 1812 (Authentication) * UDP 1813 (Accounting) * TLS tunnel typically uses internal transport within RADIUS/EAP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-PEAP-TLS using Client Server model?** * Yes, it follows a client-server model. * Client: Supplicant (e.g., laptop or phone) * Server: Authentication server (e.g., RADIUS) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-TLS protocol uses certificates?** * Yes. * Server certificate is mandatory. * Client certificate is usually required in EAP-TLS but optional in PEAP-TLS depending on configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-PEAP-TLS protocol?** * Typically involves 10–20 EAPOL and RADIUS messages. * Exact number depends on TLS handshake steps and server configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-TLS Protocol uses client certificates?** * Yes, if configured for mutual authentication. * Client certificate is used within the protected TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-PEAP-TLS Protocol uses Server Certificates?** * Yes, always. * Server certificate is essential to create the initial secure TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PEAP-TLS Protocol depends on TCP?** * Indirectly. * TLS runs over TCP within the authentication backend (e.g., RADIUS over TCP/TLS in some setups). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-PEAP-TLS Protocol depends on UDP?** * Yes, commonly. * RADIUS protocol (carrying EAP) uses UDP 1812 and 1813. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-PEAP-TLS Protocol?** * Supplicant (Client) * Authenticator (e.g., Access Point or Switch) * Authentication Server (e.g., FreeRADIUS) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-TLS Protocol work with FreeRADIUS server on Linux?** * Yes, it is fully supported. * FreeRADIUS can handle PEAP and TLS-based EAP methods. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-PEAP-TLS Protocol work with Internal radius server of hostapd?** * No. * hostapd does not include a full RADIUS server; an external RADIUS server like FreeRADIUS is required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-PEAP-TLS Protocol?** * PEAP is defined in [draft-josefsson-pppext-eap-tls-eap-10](https://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10) (not a finalized RFC). * EAP is defined in RFC 3748. * TLS is defined in RFC 5246 (TLS 1.2) and RFC 8446 (TLS 1.3), depending on implementation. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EAPOL Packets are encrypted?** * EAPOL packets themselves are not encrypted. * The payload inside EAP-PEAP (after TLS tunnel setup) is encrypted using the TLS session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-PEAP-TLS Protocol?** * **Stage 1:** EAPOL Start and Identity exchange. * **Stage 2:** TLS tunnel establishment using server certificate. * **Stage 3:** Client authentication using certificate inside tunnel. * **Stage 4:** Key derivation (MSK generation). * **Stage 5:** Success message and network access granted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * Generation of a shared Master Session Key (MSK). * Used for encryption in WPA2/WPA3 sessions. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * The MSK is a 64-byte (512-bit) key. * Derived from the TLS handshake process. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** * PMK (Pairwise Master Key) is derived from the MSK. * Used by the Authenticator (e.g., Access Point) to generate PTK (Pairwise Transient Key) for secure unicast communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PEAP_TLS Version&IEEE Details ` * :ref:`EAP_PEAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_PEAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PEAP_TLS Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PEAP_TLS Protocol Packet Details ` * :ref:`EAP_PEAP_TLS Usecases ` * :ref:`EAP_PEAP_TLS Basic Features ` * :ref:`Reference links ` .. _EAP_PEAP_TLS _step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PEAP_TLS _step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PEAP_TLS _step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PEAP_TLS _step5: .. tab-set:: .. tab-item:: EAP_PEAP_TLS Version&RFC Details * rfc details .. _EAP_PEAP_TLS_step18: .. tab-set:: .. tab-item:: EAP_PEAP_TLS FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_PEAP_TLS_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_PEAP_TLS/eap_peap_tls_freeradius_server.csv :class: tight-table .. _EAP_PEAP_TLS_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PEAP_TLS/eap_peap_tls_ap_hostapd.csv :class: tight-table .. _EAP_PEAP_TLS_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_PEAP_TLS/eap_peap_tls_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PEAP_TLS` .. _EAP_PEAP_TLS_step19: .. tab-set:: .. tab-item:: EAP_PEAP_TLS FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PEAP_TLS_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PEAP_TLS_step6: .. tab-set:: .. tab-item:: EAP_PEAP_TLS Protocol Packet Details * packet details .. _EAP_PEAP_TLS _step7: .. tab-set:: .. tab-item:: EAP_PEAP_TLS Usecases * usecases .. _EAP_PEAP_TLS _step8: .. tab-set:: .. tab-item:: EAP_PEAP_TLS Basic Features * features .. _EAP_PEAP_TLS _step17: .. tab-set:: .. tab-item:: Reference links * Reference links