EAP-TTLS-EAP-MD5-Challenge ============================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-EAP-MD5-Challenge?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Extensible Authentication Protocol - Message Digest 5 Challenge. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-EAP-MD5-Challenge?** EAP-TTLS-EAP-MD5-Challenge is an authentication method that combines EAP-TTLS to establish a secure TLS tunnel and uses EAP-MD5-Challenge as the inner authentication mechanism to verify user credentials through an MD5 hash challenge-response method inside the encrypted tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-EAP-MD5-Challenge useful?** - Provides secure transmission of legacy MD5 challenge credentials inside a protected TLS tunnel. - Protects password or challenge-response data from eavesdropping. - Allows use of older authentication methods in modern secure environments. - Useful where client certificates are not deployed but strong encryption is needed. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. A TLS tunnel is established between the client and authentication server. 2. Inside the tunnel, the server sends an MD5 challenge to the client. 3. Client responds with a hash computed over the challenge and its password. 4. Server validates the hash and authenticates the client. 5. Upon success, cryptographic keys are generated for the session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-EAP-MD5-Challenge used?** - Enterprise Wi-Fi networks requiring legacy password-based authentication. - VPN environments supporting older EAP methods. - Scenarios requiring a balance between legacy compatibility and secure tunneling. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MD5-Challenge windows specific?** - No, it's platform-independent but requires supplicant support. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MD5-Challenge Linux Specific?** - No, supported by Linux supplicants like wpa_supplicant. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-EAP-MD5-Challenge?** - EAP over LAN (EAPOL) for client-authenticator communication. - RADIUS (UDP) protocol between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-EAP-MD5-Challenge?** - UDP port 1812 (RADIUS Authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-MD5-Challenge using Client server model?** - Yes, involves the supplicant (client), authenticator (access point), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MD5-Challenge protocol uses certificates?** - Server certificates are mandatory to establish the TLS tunnel. - Client certificates are generally not required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-EAP-MD5-Challenge protocol?** - Multiple EAPOL frames occur due to TLS handshake and inner MD5 challenge/response. - Usually several dozen frames during complete authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MD5-Challenge Protocol uses client certificates?** - No, client authentication is via MD5 challenge-response inside the TLS tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MD5-Challenge Protocol uses Server Certificates?** - Yes, required for TLS tunnel establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MD5-Challenge Protocol depends on TCP?** - Not directly; EAP/EAPOL are independent of TCP. - TLS handshake runs over EAPOL (Layer 2). - RADIUS uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MD5-Challenge Protocol depends on UDP?** - Yes, RADIUS typically operates over UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-EAP-MD5-Challenge Protocol?** - Client/Supplicant (device connecting). - Authenticator (e.g., Access Point). - Authentication Server (e.g., FreeRADIUS). - Network monitoring tools to capture and analyze frames. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-MD5-Challenge Protocol work with free radius server on Linux?** - Yes, FreeRADIUS supports EAP-TTLS with inner EAP-MD5. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-MD5-Challenge Protocol work with Internal radius server of hostapd?** - Limited support; external RADIUS servers are preferred for EAP-TTLS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-EAP-MD5-Challenge Protocol?** - EAP-TTLS: RFC 5281. - EAP-MD5: RFC 3748. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - The inner EAP-MD5 challenge-response messages are encrypted inside the TLS tunnel. - TLS handshake messages are initially unencrypted but establish the secure tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-EAP-MD5-Challenge Protocol?** 1. Client and server perform a TLS handshake to establish a secure tunnel. 2. Server sends an MD5 challenge inside the tunnel. 3. Client computes and returns the MD5 hash response. 4. Server verifies the response and authenticates the client. 5. Keys (PMK) are derived for subsequent secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Authentication success or failure. - Pairwise Master Key (PMK) for encrypting wireless data. - Network access granted upon success. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** - 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** - Used in the 4-way handshake to derive temporal encryption keys. - Secures data transmission between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_EAP_MD5_Challenge Version&IEEE Details ` * :ref:`EAP_TTLS_EAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_EAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_EAP_MD5_Challenge Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_MD5_Challenge Protocol Packet Details ` * :ref:`EAP_TTLS_EAP_MD5_Challenge Usecases ` * :ref:`EAP_TTLS_EAP_MD5_Challenge Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_EAP_MD5_Challenge_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_EAP_MD5_Challenge_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_EAP_MD5_Challenge_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_EAP_MD5_Challenge_step5: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge Version&RFC Details * rfc details .. _EAP_TTLS_EAP_MD5_Challenge_step18: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_EAP_MD5_Challenge_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_EAP_MD5_Challenge/eap_ttls_eap_md5_freeradius_server.csv :class: tight-table .. _EAP_TTLS_EAP_MD5_Challenge_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_EAP_MD5_Challenge/eap_ttls_eap_md5_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_EAP_MD5_Challenge_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_EAP_MD5_Challenge/eap_ttls_eap_md5_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_EAP_MD5_Challenge` .. _EAP_TTLS_EAP_MD5_Challenge_step19: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_EAP_MD5_Challenge_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_MD5_Challenge_step6: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge Protocol Packet Details * packet details .. _EAP_TTLS_EAP_MD5_Challenge_step7: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge Usecases * usecases .. _EAP_TTLS_EAP_MD5_Challenge_step8: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MD5_Challenge Basic Features * features .. _EAP_TTLS_EAP_MD5_Challenge_step17: .. tab-set:: .. tab-item:: Reference links * Reference links