EAP-TTLS-MSCHAPv2 ==================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-TTLS-MSCHAPv2?** Extensible Authentication Protocol - Tunneled Transport Layer Security - Microsoft Challenge Handshake Authentication Protocol version 2. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-TTLS-MSCHAPv2?** EAP-TTLS-MSCHAPv2 is an authentication method where a secure TLS tunnel is established using EAP-TTLS, and within this tunnel, the MSCHAPv2 protocol is used for client authentication with username and password. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-TTLS-MSCHAPv2 useful?** - It secures legacy password-based authentication by encapsulating MSCHAPv2 inside a TLS tunnel. - Protects user credentials against eavesdropping and man-in-the-middle attacks. - Provides mutual authentication if server certificates are validated. - Widely supported and easier to deploy in environments where client certificates are not feasible. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** 1. The client and authentication server establish a TLS tunnel using EAP-TTLS, where the server presents a certificate for authentication. 2. Inside the encrypted tunnel, the client responds to MSCHAPv2 challenges with hashed password responses. 3. The server verifies the responses and decides whether to grant access. 4. After successful authentication, keys are derived for securing the wireless session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-TTLS-MSCHAPv2 used?** - Enterprise Wi-Fi networks for secure, password-based authentication. - Remote access VPNs that require secure user authentication without client certificates. - Networks transitioning from older protocols to more secure EAP methods. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** Application Layer (Layer 7). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAPv2 windows specific?** No. While MSCHAPv2 was developed by Microsoft and is well-supported on Windows, EAP-TTLS-MSCHAPv2 is supported on multiple platforms, including Linux and macOS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAPv2 Linux Specific?** No. It is supported by Linux supplicants like wpa_supplicant and radius servers such as FreeRADIUS. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-TTLS-MSCHAPv2?** - EAP over LAN (EAPOL) between client (supplicant) and authenticator (e.g., AP). - RADIUS protocol over UDP between authenticator and authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-TTLS-MSCHAPv2?** UDP port 1812 (RADIUS authentication). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAPv2 using Client server model?** Yes. It involves the client (supplicant), authenticator (AP or switch), and the authentication server. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAPv2 protocol uses certificates?** - Server certificates are required for TLS tunnel establishment. - Client certificates are generally not used; authentication inside the tunnel is via MSCHAPv2. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-TTLS-MSCHAPv2 protocol?** Typically 20-30 EAPOL frames, including the TLS handshake and MSCHAPv2 challenge-response. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAPv2 Protocol uses client certificates?** No. Authentication uses MSCHAPv2 username/password inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-TTLS-MSCHAPv2 Protocol uses Server Certificates?** Yes, for TLS tunnel setup. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAPv2 Protocol depends on TCP?** Not directly. EAPOL is layer 2; TLS is tunneled inside EAP messages. RADIUS runs over UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-TTLS-MSCHAPv2 Protocol depends on UDP?** Yes, RADIUS communication between authenticator and server uses UDP. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-TTLS-MSCHAPv2 Protocol?** - Client/supplicant configured with MSCHAPv2 credentials. - Access Point or Network Access Server. - Authentication Server (e.g., FreeRADIUS) with MSCHAPv2 support. - Certificate Authority for issuing server certificates. - Network analysis tools like Wireshark. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-MSCHAPv2 Protocol work with free radius server on Linux?** Yes, FreeRADIUS supports EAP-TTLS with MSCHAPv2 authentication inside the tunnel. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-TTLS-MSCHAPv2 Protocol work with Internal radius server of hostapd?** Hostapd's internal radius server has limited support; external RADIUS servers are preferred for full EAP-TTLS-MSCHAPv2 functionality. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-TTLS-MSCHAPv2 Protocol?** - EAP-TTLS: RFC 5281. - MSCHAPv2: RFC 2759. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** - All MSCHAPv2 authentication packets inside the TLS tunnel are encrypted. - TLS handshake packets are unencrypted until tunnel establishment. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-TTLS-MSCHAPv2 Protocol?** 1. Client initiates EAP-TTLS authentication, authenticating the server via its certificate. 2. TLS tunnel is established securely. 3. Client performs MSCHAPv2 challenge-response inside the encrypted tunnel. 4. Upon success, PMK is derived. 5. The 4-way handshake is executed between client and AP using the PMK. 6. Secure wireless session is established. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** - Successful authentication. - Derivation of the Pairwise Master Key (PMK) for securing the wireless link. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** A 256-bit Pairwise Master Key (PMK). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** The PMK is used in the 4-way handshake to generate the Pairwise Transient Key (PTK), which encrypts the wireless data between client and access point. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_TTLS_MSCHAPv2 Version&IEEE Details ` * :ref:`EAP_TTLS_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up FreeRADIUS ` * :ref:`STEP 2: Bring up AP ` * :ref:`STEP 3: Bring up STA ` * :ref:`EAP_TTLS_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_TTLS_MSCHAPv2 Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_TTLS_MSCHAPv2 Protocol Packet Details ` * :ref:`EAP_TTLS_MSCHAPv2 Usecases ` * :ref:`EAP_TTLS_MSCHAPv2 Basic Features ` * :ref:`Reference links ` .. _EAP_TTLS_MSCHAPv2_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_TTLS_MSCHAPv2_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_TTLS_MSCHAPv2_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_TTLS_MSCHAPv2_step5: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 Version&RFC Details * rfc details .. _EAP_TTLS_MSCHAPv2_step18: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (2 Machines) .. _EAP_TTLS_MSCHAPv2_step23: .. tab-set:: .. tab-item:: STEP 1: Bring up FreeRADIUS .. csv-table:: :file: ./EAP_TTLS_MSCHAPv2/eap_ttls_mschapv2_freeradius_server.csv :class: tight-table .. _EAP_TTLS_MSCHAPv2_step21: .. tab-set:: .. tab-item:: STEP 2: Bring up AP using hostapd .. csv-table:: :file: ./EAP_TTLS_MSCHAPv2/eap_ttls_mschapv2_ap_hostapd.csv :class: tight-table .. _EAP_TTLS_MSCHAPv2_step22: .. tab-set:: .. tab-item:: STEP 3: Bring up STA .. csv-table:: :file: ./EAP_TTLS_MSCHAPv2/eap_ttls_mschapv2_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_TTLS_MSCHAPv2` .. _EAP_TTLS_MSCHAPv2_step19: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_TTLS_MSCHAPv2_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_TTLS_MSCHAPv2_step6: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 Protocol Packet Details * packet details .. _EAP_TTLS_MSCHAPv2_step7: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 Usecases * usecases .. _EAP_TTLS_MSCHAPv2_step8: .. tab-set:: .. tab-item:: EAP_TTLS_MSCHAPv2 Basic Features * features .. _EAP_TTLS_MSCHAPv2_step17: .. tab-set:: .. tab-item:: Reference links * Reference links