EAP-TTLS-MSCHAP ================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-MSCHAP?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Microsoft Challenge Handshake Authentication Protocol. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-MSCHAP?** EAP-TTLS-MSCHAP is an EAP authentication method where a secure TLS tunnel is established (EAP-TTLS), inside which the MSCHAP (Microsoft Challenge Handshake Authentication Protocol) is used for authenticating the client with username and password. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-MSCHAP useful?** - Protects user credentials by tunneling authentication inside a TLS encrypted channel. - Supports legacy password-based authentication protocols like MSCHAP within a secure tunnel. - Provides better security than plain MSCHAP by preventing credential sniffing. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. The client and authentication server establish a TLS tunnel using EAP-TTLS (server authenticates with certificate). 2. Inside this encrypted tunnel, the client responds to MSCHAP challenge messages with hashed password responses. 3. The server verifies the MSCHAP response and grants or denies access. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-MSCHAP used?** - Enterprise wireless and wired networks requiring secure password-based authentication. - Environments where legacy MSCHAP authentication needs protection with TLS. - VPNs and other remote access solutions requiring tunneled authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** - Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAP windows specific?** - No, but MSCHAP is a Microsoft-developed protocol and best supported on Windows. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAP Linux Specific?** - No, supported by Linux supplicants like wpa_supplicant with proper configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-MSCHAP?** - EAPOL for communication between supplicant and authenticator. - RADIUS protocol over UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-MSCHAP?** - UDP port 1812 (default port for RADIUS Authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAP using Client server model?** - Yes, involving client (supplicant), authenticator (AP or switch), and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAP protocol uses certificates?** - Yes, server certificates are used to establish the TLS tunnel. - Client certificates are generally not required for MSCHAP inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-MSCHAP protocol?** - Several exchanges for TLS tunnel establishment plus MSCHAP challenge-response frames inside. - Typically around 20-30 EAPOL frame exchanges. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAP Protocol uses client certificates?** - Usually no, client authentication is done via MSCHAP username/password. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAP Protocol uses Server Certificates?** - Yes, to authenticate the server during TLS tunnel setup. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAP Protocol depends on TCP?** - Not directly; EAP is a layer 2 protocol using EAPOL. - TLS handshake is inside EAP messages. - RADIUS communicates over UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAP Protocol depends on UDP?** - Yes, RADIUS communication occurs over UDP (port 1812). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-MSCHAP Protocol?** - Client/Supplicant with MSCHAP credentials. - Access Point or Network Access Server (Authenticator). - Authentication Server (e.g., FreeRADIUS) configured with MSCHAP support. - Certificate Authority (CA) for server certificate. - Tools like Wireshark for packet capture. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-MSCHAP Protocol work with free radius server on Linux?** - Yes, FreeRADIUS supports EAP-TTLS with MSCHAP inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-MSCHAP Protocol work with Internal radius server of hostapd?** - Hostapd's internal RADIUS server has limited EAP-TTLS support; external RADIUS is preferred. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-MSCHAP Protocol?** - EAP-TTLS is defined in RFC 5281. - MSCHAP is a Microsoft proprietary protocol, but documented in RFC 2759. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - All MSCHAP authentication packets inside the TLS tunnel are encrypted. - The outer TLS handshake packets are unencrypted until the tunnel is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-MSCHAP Protocol?** 1. TLS tunnel establishment via EAP-TTLS with server certificate verification. 2. Inside the tunnel, MSCHAP challenge-response authentication takes place. 3. Upon successful MSCHAP authentication, PMK is derived. 4. The client and AP perform the 4-way handshake with the PMK. 5. Secure wireless communication is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Successful authentication and derivation of the Pairwise Master Key (PMK). - Secure wireless session establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** - A 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** - The PMK is used in the 4-way handshake to generate temporal session keys (PTK) for encrypting the wireless data between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_MSCHAP Version&IEEE Details ` * :ref:`EAP_TTLS_MSCHAP FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_MSCHAP FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_MSCHAP Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_MSCHAP Protocol Packet Details ` * :ref:`EAP_TTLS_MSCHAP Usecases ` * :ref:`EAP_TTLS_MSCHAP Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_MSCHAP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_MSCHAP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_MSCHAP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_MSCHAP_step5: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP Version&RFC Details * rfc details .. _EAP_TTLS_MSCHAP_step18: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_MSCHAP_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_MSCHAP/eap_ttls_mschap_freeradius_server.csv :class: tight-table .. _EAP_TTLS_MSCHAP_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_MSCHAP/eap_ttls_mschap_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_MSCHAP_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_MSCHAP/eap_ttls_mschap_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_MSCHAP ` .. _EAP_TTLS_MSCHAP_step19: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_MSCHAP_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_MSCHAP_step6: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP Protocol Packet Details * packet details .. _EAP_TTLS_MSCHAP_step7: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP Usecases * usecases .. _EAP_TTLS_MSCHAP_step8: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAP Basic Features * features .. _EAP_TTLS_MSCHAP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links