Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PEAP + EAP-MD5

I've read that with the ACS 3.1 the only eap-type supported with PEAP is GTC.

Why it is not possible to use EAP-MD5 or EAP-TLS with PEAP? These EAP-type were already supported in ACS 3.0...

Thanks for your time.

4 REPLIES
New Member

Re: PEAP + EAP-MD5

As per my knowledge,Peap uses TLS protocol also to authenticate.

PEAP works in the following way:PEAP operates in two steps. The first step is the server authentication and second one is user authentication using a new EAP type .

PEAP uses TLS to authenticate the network infrastructure through the TLS Handshake protocol, to protect user credentials in transit by means of the TLS Record Protocol, and to generate cryptographic keying material using the TLS-defined pseudo-random function (PRF) functionality.

For information on this you can follow the URLs,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217f.html#4907

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102179.html

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/acsq_qp.htm

New Member

Re: PEAP + EAP-MD5

Ok for the first step. But I can't understand why isn't possibile to use EAP-MD5 in the second step.

If EAP-MD5 was already supported by ACS 3.0 why it doesn't appear as an EAP-type for PEAP?

Are there any limitations on the EAP-Type I use in the second step?

Thanks.

New Member

Re: PEAP + EAP-MD5

Basically, EAP-MD5 and PEAP are totally different in the backend. PEAP uses server-side certificate to authenticate the server, after which uses user's login name and password for authentication of the client.

EAP-MD5 only authenticate the client without the server authentication part.

New Member

Re: PEAP + EAP-MD5

Sorry, probably I wasn't clear.

My question is: why can't I use EAP-MD5 INSIDE PEAP?

By "inside" I mean in the second phase, after the server authentication.

I've understood that PEAP is composed by two phases:

1-server authentication (by certificate)

2-any EAP-Type for client authentication

Why "any EAP-Type" can't be EAP-MD5?

I hope to be clear.

528
Views
0
Helpful
4
Replies