EAP-TTLS-EAP-MSCHAPv2 ======================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-EAP-MSCHAPv2?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Extensible Authentication Protocol - Microsoft Challenge Handshake Authentication Protocol version 2. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-EAP-MSCHAPv2?** EAP-TTLS-EAP-MSCHAPv2 is an authentication method that establishes a secure TLS tunnel using EAP-TTLS, inside which the MSCHAPv2 challenge-response authentication protocol is performed to verify user credentials securely. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-EAP-MSCHAPv2 useful?** - Protects user credentials by tunneling MSCHAPv2 inside a TLS encrypted channel. - Supports password-based authentication with strong encryption. - Compatible with many legacy systems and widely supported by clients and servers. - Does not require client certificates, easing deployment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. TLS tunnel is established between client and server using EAP-TTLS. 2. Inside the encrypted tunnel, MSCHAPv2 challenge is sent by the server. 3. Client responds with hashed credentials using MSCHAPv2. 4. Server validates response and authenticates client. 5. Session keys are derived for secure communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-EAP-MSCHAPv2 used?** - Enterprise Wi-Fi (WPA/WPA2-Enterprise) authentication. - VPN authentication requiring password-based security. - Networks needing secure tunneled authentication without client certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MSCHAPv2 windows specific?** - No, supported across multiple platforms including Windows. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MSCHAPv2 Linux Specific?** - No, supported by Linux supplicants like wpa_supplicant. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-EAP-MSCHAPv2?** - EAPOL for client-authenticator communication. - RADIUS over UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-EAP-MSCHAPv2?** - UDP port 1812 (RADIUS Authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-EAP-MSCHAPv2 using Client server model?** - Yes, involves supplicant (client), authenticator (AP), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MSCHAPv2 protocol uses certificates?** - Requires server certificates to establish TLS tunnel. - Client certificates generally not required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-EAP-MSCHAPv2 protocol?** - Several EAPOL frames during TLS handshake and inner MSCHAPv2 exchange; typically dozens of frames total. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MSCHAPv2 Protocol uses client certificates?** - No, authentication uses MSCHAPv2 inside TLS tunnel instead. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-EAP-MSCHAPv2 Protocol uses Server Certificates?** - Yes, required for TLS tunnel establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MSCHAPv2 Protocol depends on TCP?** - Not directly; EAP/EAPOL works over Layer 2. - TLS handshake inside EAP-TTLS runs over EAPOL frames. - RADIUS uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-TTLS-EAP-MSCHAPv2 Protocol depends on UDP?** - Yes, RADIUS uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-EAP-MSCHAPv2 Protocol?** - Client/Supplicant. - Authenticator (Access Point). - Authentication Server (e.g., FreeRADIUS). - Packet capture and analysis tools. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-MSCHAPv2 Protocol work with free radius server on Linux?** - Yes, FreeRADIUS fully supports this method. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-EAP-MSCHAPv2 Protocol work with Internal radius server of hostapd?** - Internal RADIUS server has limited support; external RADIUS preferred. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-EAP-MSCHAPv2 Protocol?** - EAP-TTLS: RFC 5281. - MSCHAPv2: Defined in Microsoft RFCs (draft references, not standardized by IETF). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - Inner EAP-MSCHAPv2 messages are encrypted inside TLS tunnel. - TLS handshake messages initially unencrypted, then tunnel is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-EAP-MSCHAPv2 Protocol?** 1. TLS handshake establishes secure tunnel between client and server. 2. Server sends MSCHAPv2 challenge inside tunnel. 3. Client responds with MSCHAPv2 response. 4. Server verifies and authenticates client. 5. PMK derived and used for securing data link. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Authentication success or failure. - Generation of PMK (Pairwise Master Key). - Secure network access on success. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** - 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** - Used in 4-way handshake to derive temporal encryption keys. - Secures data transmission between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 Version&IEEE Details ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 Protocol Packet Details ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 Usecases ` * :ref:`EAP_TTLS_EAP_MSCHAPv2 Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_EAP_MSCHAPv2_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_EAP_MSCHAPv2_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_EAP_MSCHAPv2_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_EAP_MSCHAPv2_step5: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 Version&RFC Details * rfc details .. _EAP_TTLS_EAP_MSCHAPv2_step18: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_EAP_MSCHAPv2_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_EAP_MSCHAPv2/eap_ttls_eap_mschapv2_freeradius_server.csv :class: tight-table .. _EAP_TTLS_EAP_MSCHAPv2_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_EAP_MSCHAPv2/eap_ttls_eap_mschapv2_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_EAP_MSCHAPv2_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_EAP_MSCHAPv2/eap_ttls_eap_mschapv2_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_EAP_MSCHAPv2` .. _EAP_TTLS_EAP_MSCHAPv2_step19: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_EAP_MSCHAPv2_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_EAP_MSCHAPv2_step6: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 Protocol Packet Details * packet details .. _EAP_TTLS_EAP_MSCHAPv2_step7: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 Usecases * usecases .. _EAP_TTLS_EAP_MSCHAPv2_step8: .. tab-set:: .. tab-item:: EAP_TTLS_EAP_MSCHAPv2 Basic Features * features .. _EAP_TTLS_EAP_MSCHAPv2_step17: .. tab-set:: .. tab-item:: Reference links * Reference links