supplying a client certificate during EAP-PEAP?

[Guest]

Hi,

I am trying to get my WinCE 5.0 device to authenticate to a rather unusual
802.1x (wireless) authentication server. The auth server wants to do PEAP,
and it wants a client certificate during the initial TLS handshake phase of
PEAP. I've already imported the appropriate certficiate into my Win CE
device, but when I hit the "confgure" button in the network UI for PEAP, I
noticed that the certificate selection box is greyed out. Is it possible to
configure PEAP to supply a user certificate during authentication?

Thanks,
Michael

 

[Paul G. Tobey [eMVP]]

I've never seen such a thing. Are you sure it's not using EAP-TLS (mutually
certified communications)? You might try that setting...

Paul T.

 

[Guest]

Yeah, I know what I'm asking is a bit odd (its an external requirement, not
my idea.) Yes, I am asking for EAP-PEAP and not EAP-TLS. So I guess your
answer is "no"?

(I'm going to try to make my linux client do th same thing during TTLS...)

Michael

 

[Paul G. Tobey [eMVP]]

You might try TLS and on the CE end and see if that will work...

Paul T.

 

[KM]

Michael,

Have you looked in to 5.0 PB Help?

In EAP-PEAP authentication the client does NOT send a certificate to the server.

Here is a related quote from PB for you:
"PEAP with MS-CHAP v2 requires that a certificate is installed on the Internet Authentication Service (IAS) server but not on the
wireless client. To ensure that wireless clients can validate the IAS server certificate chain, the root Certificate Authority (CA)
certificate of the CA that issued the IAS server certificate must be installed on each wireless client.
Windows CE includes the root CA certificates of many third-party CAs. If you obtain your IAS server certificate from a third-party
CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. If you obtain your
IAS server certificate from a third-party CA for which Windows CE does not include a corresponding root CA certificate, you must
install the root CA certificate on each wireless client."

 

[Guest]

Hi KM,

heh, heh, my reading of that text tells me that a client certificate is not
_required_ but it does not say whether is is _allowed_

Anyways, I know what you mean. I'm giving up on trying to do this with
PEAP. I'm just going to present my findings to the higher-ups and see what
they want to do.

(By the way, in answer to Paul's question, yes, I've tried TLS and it works,
so I know I've got a good set of certficates on the CE device and the auth
server. And I've also been able to configure my Linux supplicant, using
Open1x, to present a client certificate during TTLS.)

Thanks for your replies.

Michael

 

[Piet]

Eap-Peap certainly supports the use of client side certificates. It is
very uncommon though and you client will probably not allow you to
configure them.

Regards,
Piet

 

[Guest]

Michael,

Did you ever get this going? I'm trying to do the same thing. Does CE 5.0
support PEAP-EAP-TLS (PEAP with EAP-TLS)?

Ha

 

[Paul G. Tobey [eMVP]]

It does support EAP-TLS and PEAP both. TLS uses client-side certificates,
which you can select from the WZC dialog that is used to configure the
security options for your wireless connection.

Paul T.

 

[Guest]

Paul -

Thanks for the reply, but there may be some misunderstanding. Either on my
part or yours.

Here's what I know.

Microsoft support EAP-TLS. It also support two forms of PEAP.

1. PEAP/MS-CHAPv2 (Password and Server Side Certificate)
2. PEAP-EAP-TLS (Client and Server Side Certficate)

I am not referring to EAP-TLS. I've already have tested and verified that
my device support EAP-TLS. I have also tested and verified PEAP\MS-CHAPv2.
I can't seam to get PEAP-EAP-TLS going. When I go into the Wireless setting
and choose PEAP. I should have the option to select a client-side cert that
located locally on my device. That option is greyed. BTW....the device is a
Panasonic ToughBook CF-VDW08 running Window CE 5.0.

Does anyone know if CE 5.0 support PEAP-EAP-TLS? and if so how would you
set that up.

Also...Paul - What WZC? Wireless Zero Client?!?!

 

[Paul G. Tobey [eMVP]]

PEAP != EAP-TLS and I don't see any reason to tack an extra PEAP on the
front of EAP-TLS. If what you want is a client certificate-based
authentication of the client, you've already tested it by selecting
"EAP-TLS", as far as I can tell.

WZC is the Wireless Zero Configuration capability of the OS. It's the UI
that handles showing the known SSID values, doing the associations with
preferred SSIDs, etc.

Paul T.

 

[Guest]

Paul -

No disrespect, but I think that's wrong. Please see below....

"PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but
provides slightly more protection due to the fact that portions of the client
certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS."

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

http://technet2.microsoft.com/WindowsServer/en/Library/3e94a25d-8922-4935-b248-540aa6b8c5101033.mspx

For the reason mentioned above is the main reason why we are looking to go
with PEAP-EAP-TLS. We have it already setup in our infrastructure. We are
simply trying to extend it to Windows CE 5.0 mobile devices.

Any thought on how or if possible?

Ha

 

[Paul G. Tobey [eMVP]]

In any case, you've done what is doable in CE. If there is some other
protocol distinct from EAP-TLS, you can't use it. The negotiation process
should arrive at EAP-TLS as the highest level of security that both ends
support.

Paul T.

 

[Guest]

Ha,

Did you ever get this working? Also, when you mentioned that you already
had this setup in your infrastructure, did you mean that you were able to
authenticate some type(s) of clients using PEAP-EAP-TLS? I'm not having much
luck finding anyone that has managed to make this work.

Thanks.

Mikal