EAP-TTLS-CHAP ============== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-CHAP?** EAP-TTLS-CHAP stands for Extensible Authentication Protocol - Tunneled Transport Layer Security - Challenge Handshake Authentication Protocol. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-CHAP?** EAP-TTLS-CHAP is an authentication method that combines EAP-TTLS (a tunneling protocol) with CHAP (a password-based challenge-response authentication protocol). EAP-TTLS establishes a secure TLS tunnel, and inside this tunnel, CHAP performs client authentication securely. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-CHAP useful?** - Allows legacy protocols like CHAP to be used securely. - Protects user credentials by encrypting authentication data. - Supports mutual authentication without requiring client certificates. - Useful in enterprise wireless and VPN scenarios. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. TLS tunnel is created between client and authentication server. 2. Server sends a CHAP challenge inside the encrypted tunnel. 3. Client responds with a CHAP response using password hash. 4. Server verifies and authenticates the client. 5. Keys are generated for securing the session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-CHAP used?** - Enterprise wireless networks and VPN access. - Environments requiring secure authentication without client certificates. - Legacy network infrastructures transitioning to secure protocols. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). - Runs over EAP, transported via EAPOL and RADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-CHAP windows specific?** - No, it is platform-independent. - Supported on Windows via third-party supplicants. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-CHAP Linux Specific?** - No, supported on Linux with supplicants like wpa_supplicant. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-CHAP?** - Uses EAPOL for link-layer transport (Layer 2). - RADIUS (UDP) protocol for communication with authentication servers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-CHAP?** - UDP port 1812 when using RADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-CHAP using Client server model?** - Yes, involves client (supplicant), authenticator, and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-CHAP protocol uses certificates?** - Server certificates are mandatory to establish TLS tunnel. - Client certificates generally not required; authentication done via CHAP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-CHAP protocol?** - Multiple EAPOL frames occur during TLS handshake and CHAP challenge-response. - Typically several dozen frames in total. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-CHAP Protocol uses client certificates?** - No, client authentication is based on CHAP inside the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-CHAP Protocol uses Server Certificates?** - Yes, server certificates secure the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-CHAP Protocol depends on TCP?** - No, TCP is not a direct dependency of EAP-TTLS-CHAP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-CHAP Protocol depends on UDP?** - Yes, RADIUS communication typically uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-CHAP Protocol?** - Client (Supplicant) - Authenticator (Access Point) - Authentication Server (RADIUS) - Testing tools like packet capture analyzers and EAP testers. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-CHAP Protocol work with free radius server on Linux?** - Yes, FreeRADIUS supports EAP-TTLS with CHAP authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-CHAP Protocol work with Internal radius server of hostapd?** - Limited or no support; external RADIUS servers like FreeRADIUS are preferred. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-CHAP Protocol?** - EAP-TTLS: RFC 5281 - CHAP: RFC 1994 .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - Inner authentication messages (CHAP challenge-response) are encrypted. - TLS handshake packets are not encrypted initially but secure the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-CHAP Protocol?** 1. TLS tunnel establishment between client and server. 2. Inner authentication with CHAP challenge and response inside the tunnel. 3. Authentication success/failure communicated. 4. Generation of Pairwise Master Key (PMK) for securing wireless session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Authentication result (success or failure). - PMK generated to protect subsequent wireless communication. - Network access granted if authentication succeeds. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** - A 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** - Used in 4-way handshake to derive session keys for encryption. - Secures data transmission between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_CHAP Version&IEEE Details ` * :ref:`EAP_TTLS_CHAP FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_CHAP FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_CHAP Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_CHAP Protocol Packet Details ` * :ref:`EAP_TTLS_CHAP Usecases ` * :ref:`EAP_TTLS_CHAP Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_CHAP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_CHAP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_CHAP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_CHAP_step5: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP Version&RFC Details * rfc details .. _EAP_TTLS_CHAP_step18: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_CHAP_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_CHAP/eap_ttls_chap_freeradius_server.csv :class: tight-table .. _EAP_TTLS_CHAP_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_CHAP/eap_ttls_chap_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_CHAP_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_CHAP/eap_ttls_chap_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_CHAP ` .. _EAP_TTLS_CHAP_step19: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_CHAP_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_CHAP_step6: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP Protocol Packet Details * packet details .. _EAP_TTLS_CHAP_step7: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP Usecases * usecases .. _EAP_TTLS_CHAP_step8: .. tab-set:: .. tab-item:: EAP_TTLS_CHAP Basic Features * features .. _EAP_TTLS_CHAP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links