Managing Keys and Certificates 381

PEAP-MS-CHAP-V2 Security

PEAP performs a TLS exchange for server authentication and allows a secondary authentication to be performed inside the resulting secure channel for client authentication. For example, the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-V2 authentication inside an encrypted TLS channel established by PEAP.

1To form the encrypted TLS channel, the WSS must have a digital certificate and must send that certificate to the wireless client.

2Inside the WSS switch’s digital certificate is the WSS’s public key, which the wireless client uses to encrypt a pre-master secret key.

3The wireless client then sends the key back to the WSS so that both the WSS and the client can derive a key from this pre-master secret for secure authentication and wireless session encryption.

Clients authenticated by PEAP need a certificate in the WSS only when the switch performs PEAP locally, not when EAP processing takes place on a RADIUS server. (For details about authentication options, see Chapter , “Configuring AAA for Network Users,” on page 401.)

About Keys and Certificates

Public-private key pairs and digital signatures and certificates allow keys to be generated dynamically so that data can be securely encrypted and delivered. You generate the key pairs and certificates on the WSS or install them on the switch after enrolling with a certificate authority (CA). The WSS can generate key pairs, self-signed certificates, and Certificate Signing Requests (CSRs), and can install key pairs, server certificates, and certificates generated by a CA.

Note. The WSS uses separate server certificates for Admin, EAP (802.1X), and

Web AAA authentication. Where applicable, the manuals refer to these server certificates as Admin, EAP (or 802.1X), or Web AAA certificates respectively.

When the WSS needs to communicate with WLAN Management Software , Web View, or an 802.1X or Web-based AAA client, WSS Software requests a private key from the switch’s certificate and key store:

If no private key is available in the WSS’s certificate and key store, the switch does not respond to the request from WSS Software. If the switch does have a private key in its key store, WSS Software requests a corresponding certificate.

If the WSS has a self-signed certificate in its certificate and key store, the switch responds to the request from WSS Software. If the certificate is not self-signed, the switch looks for a CA’s certificate with which to validate the server certificate.

If the WSS has no corresponding CA certificate, the switch does not respond to the request from WSS Software. If the switch does have a corresponding CA certificate, and the server certificate is validated (date still valid, signature approved), the switch responds.

If the WSS switch does not respond to the request from WSS Software, authentication fails and access is denied.

For EAP (802.1X) users, the public-private key pairs and digital certificates can be stored on a RADIUS server. In this case, the WSS switch operates as a pass-through authenticator.

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 381
Image 381
Nortel Networks 2300 manual About Keys and Certificates, PEAP-MS-CHAP-V2 Security