Master Thesis Proposal
Implementation of Protected Extensible Authentication
Protocol (PEAP) - An IEEE 802.1x wireless LAN standard
for authentication.
Nirmala Bulusu
1. Committee members and Signatures:
Approved by
Date
__________________________________
Advisor: Dr. Edward Chow
_____________
__________________________________
Committee member: Terrance Boult
_____________
__________________________________
Committee member: Xiaobo zhou
_____________
2. Introduction
The main goal of this thesis is to offer a server side implementation of the
Protected Extensible Authentication Protocol (PEAP). PEAP is an 802.1x EAP
authentication protocol designed typically for access control in wireless LANs. It
makes use of two very well known protocols Extensible Authentication Protocol
(EAP) and Transport Layer Security (TLS) as a way to securely transport
authentication data, including passwords, over 802.11 wireless networks.
The key standard for wireless LAN authentication is the IEEE 802.1x standard.
802.1x is a layer 2 port-based access control mechanism used for transmitting
data between the endpoint (Supplicant) and the authentication server like
Remote Authentication Dial-In User Service (RADIUS). The 802.1x principle of
operation is given below [Figure 1 adapted from IEEE Aboba’s 802.1x paper]
Authenticator System
Supplicant
System
Host NIC
Ethernet 802.1,
Wireless PC card,
etc.
Authentication
Server System
EAPOL
Services offered by
the Authenticator
system
Authenticator
PAE
EAP Messages
Encapsulated
Controlled Port Unauthorized
Port
Authorize/Unauthorize
Uncontrolled
Port
MAC Enable
Authentication
Server [AAA]
Any EAP
Mostly Radius
The three different
elements in IEEE
802.1x
Figure 1: Principal of Operation Among the IEEE 802.1x Elements
The 802.1x protocol is only a transport mechanism and the actual authentication
takes place in the Extensible Authentication Protocol (EAP) defined by IETF.
EAP is an authentication protocol that typically rides on top of another protocol
such as 802.1x, RADIUS, PPP etc. It defines a standard message exchange that
allows a server to authenticate a client based on an authentication protocol
agreed upon by both parties. The EAP architecture depicting the wireless LAN
security framework is given below.
Figure 2: Wireless LAN Security Framework
Among the diverse methods used by EAP to perform authentication, EAP-TLS is
the most commonly implemented EAP type for WLANs. It makes use of the
existing SSL 3.0 protocol and its authentication is based on the PKI support
using X.509 certificates. Although EAP-TLS provides protection from most
attacks, a number of weaknesses have become apparent since its deployment.
These include lack of user identity protection, no standardized key exchange
mechanism, no built-in support for fragmentation and re-assembly and lack of
support for fast reconnect. Also as the protocol needs client certificate in order to
authenticate the client, deploying EAP-TLS is complicated.
Two new quite similar protocols namely EAP-TTLS and “Protected” EAP (PEAP)
were developed in response to the PKI barrier in EAP-TLS. Both use the
transport layer security [TLS] to authenticate the server and offer tunneling of
other authentication methods to authenticate the client.
PEAP was developed by Microsoft, Cisco and RSA security and is currently an
Internet draft. PEAP uses Transport Layer Security (TLS) to create an encrypted
channel between an authenticating EAP client and an EAP authenticator. It does
not specify an authentication method, but provides a secure wrapper for other
EAP authentication protocols, such as EAP MS-CHAP. There are two built-in
EAP types for use within PEAP, and they are EAP TLS and EAP MS-CHAP. The
Protected EAP protocol attempts to fix the problems found in EAP. It provides for
mutual authentication, key generation, and client identity protection and supports
quick re-authentication.
PEAP performs authentication in two phases. In the first phase the
Authentication Server is authenticated to the Supplicant using an X.509
certificate. Using TLS, a secure channel is established through which any other
EAP-Type can be used to authenticate the client (Supplicant) to the
Authentication Server during the second phase. A certificate is only required at
the Authentication Server. EAP-PEAP also supports identity hiding where the
Authenticator is only aware of the anonymous username used to establish the
TLS channel during the first phase but not the individual user authenticated
during the second phase.
Test Bench for setting up PEAP
The development environment components required for implementing and
setting up PEAP are:
•
•
•
•
•
Client wireless network adaptor compatible with 802.1x.
Client access software capable of EAP – Xsupplicant
Wireless access point (base station) compatible with 802.1x and EAP
RADIUS (authentication server) compatible with EAP – FreeRadius
PKI (public key infrastructure) – Beta Version of OpenSSL
The development environment is already set up in our lab as shown in Figure 3.
Figure 3: Test Bench set-up in the Lab
3. Thesis Plan
The goal of this thesis work is to implement a basic server-side working model of
the PEAP protocol on a Linux Server based on the IETF internet draft proposal
[www.ietf.org/internet-drafts/ draft-josefsson-pppext-eap-tls-eap-06.txt ]
and perform a comparison between the two 802.1x EAP standards – TTLS and
PEAP.
3.1
Tasks:
3.1.1 Work done till date:


Installing and Configuring the Client Side software – Xsupplicant
[www.open1x.org]
Installing and configuring Radius Server - FreeRadius
[www.freeradius.org]



Installing and configuring OpenSSL. [www.openssl.org]
Set-up a test bench to test EAP-TLS with the above configured
software.
Running Xsupplicant, Cisco AP-1200 and FreeRadius with EAP type
set to TLS. Successfully established the Authentication.
3.1.2 Work in progress:

Study and analyze both the Client [Xsupplicant] and Server side [Free
Radius] implementations of the IEEE 802.1x EAP protocol.
3.1.3 Work to be done:







3.2
Implement the Server Side Code with PEAP modules to authenticate
PEAP Users.
Configure Xsupplicant, FreeRadius and the Access Point to support
EAP type PEAP.
Test the implementation of the PEAP modules.
Run and test Xsupplicant, Cisco AP-1200 and FreeRadius set-up
configured to EAP type TTLS and EAP type PEAP.
Study and analyze the logs showing the protocol handshakes using
packages like ethereal and tcpdump.
Compare performance of the two protocols TTLS and PEAP.
Write Thesis
Deliverables:


A thesis report documenting the implementation details of the PEAP
module on freeradius and xsupplicant. Should also include the
configuration details of the wireless network set-up and lessons
learned in this thesis project.
The source code of the PEAP module.
4. References:
[1] Protected EAP (IETF draft, work in progress) March 2003:
http://www.globecom.net/ietf/draft/draft-josefsson-pppext-eap-tls-eap-06.html
[2] IEEE 802.1X Port Based Network Access Control, by Paul Congdon:
http://www.ieee802.org/1/files/public/docs2000/P8021XOverview.PDF
[3] The Unofficial 802.11 Security Web Page. Security analyses of 802.11
http://www.drizzle.com/~aboba/IEEE/
[4] PPP Extensible Authentication Protocol
http://www.ietf.org/rfc/rfc2284.txt
[5] PPP EAP-TLS Authentication Protocol
http://www.ietf.org/rfc/rfc2284.txt
[6] PEAP – Product Documentation
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/entserver/sag_ias_protocols_peap.asp
[7] Microsoft, Cisco prepare for PEAP show
www.nwfusion.com/news/2002/0923peap.html
[8] Fisher, Arthur. 2001.Authentication and Authorization:
http://rr.sans.org/authentic/IEEE_8021X.php
[9] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org)
[10] FreeRadius: Remote Authentication Dial-in User Service
http://www.freeradius.org
[11] Open 1x: Open Source Implementation of IEEE 802.1x
http://www.open1x.org
[12] Gast, Matthew. 2002. 802.11 Wireless Networks: The Definitive Guide
O’Reilly Network.
[13] EAP TTLS (IETF draft, work in progress). 2002.
http://www.ietf.org/internetdrafts/draft-ietf-pppext-eap-ttls-02.txt
[14] HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant
http://www.missl.cs.umd.edu/wireless/eaptls/
[15] Protected EAP by Magnus Nyström
http://www.ietf.org/proceedings/02mar/slides/eap-3/sld001.htm