Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1840
Views
0
Helpful
4
Replies

PEAP + EAP-MD5

demele
Level 1
Level 1

‎10-28-2002 05:11 AM - edited ‎07-04-2021 11:29 PM

I've read that with the ACS 3.1 the only eap-type supported with PEAP is GTC.

Why it is not possible to use EAP-MD5 or EAP-TLS with PEAP? These EAP-type were already supported in ACS 3.0...

Thanks for your time.

Labels:
0 Helpful
4 Replies 4

m.singer
Level 4
Level 4

‎11-01-2002 07:32 AM

As per my knowledge,Peap uses TLS protocol also to authenticate.

PEAP works in the following way:PEAP operates in two steps. The first step is the server authentication and second one is user authentication using a new EAP type .

PEAP uses TLS to authenticate the network infrastructure through the TLS Handshake protocol, to protect user credentials in transit by means of the TLS Record Protocol, and to generate cryptographic keying material using the TLS-defined pseudo-random function (PRF) functionality.

For information on this you can follow the URLs,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217f.html#4907

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102179.html

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/acsq_qp.htm

0 Helpful

demele
Level 1
Level 1
In response to m.singer

‎11-04-2002 03:07 AM

Ok for the first step. But I can't understand why isn't possibile to use EAP-MD5 in the second step.

If EAP-MD5 was already supported by ACS 3.0 why it doesn't appear as an EAP-type for PEAP?

Are there any limitations on the EAP-Type I use in the second step?

Thanks.

0 Helpful

jimmy.seah
Level 1
Level 1
In response to demele

‎11-08-2002 05:47 PM

Basically, EAP-MD5 and PEAP are totally different in the backend. PEAP uses server-side certificate to authenticate the server, after which uses user's login name and password for authentication of the client.

EAP-MD5 only authenticate the client without the server authentication part.

0 Helpful

demele
Level 1
Level 1
In response to jimmy.seah

‎11-10-2002 11:25 PM

Sorry, probably I wasn't clear.

My question is: why can't I use EAP-MD5 INSIDE PEAP?

By "inside" I mean in the second phase, after the server authentication.

I've understood that PEAP is composed by two phases:

1-server authentication (by certificate)

2-any EAP-Type for client authentication

Why "any EAP-Type" can't be EAP-MD5?

I hope to be clear.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card