Share via

PEAP Support (Windows Embedded CE 6.0)

  • Article

1/6/2010

Although Extensible Authentication Protocol (EAP) provides authentication flexibility through the use of different EAP types, it poses security issues for wireless networks. For example, if an EAP conversation is sent in clear-text format, a malicious user with access to the media can inject packets into the conversation or capture the EAP messages from a successful authentication for analysis. EAP authentication occurs during the IEEE 802.1X authentication process, before wireless frames are encrypted with Wired Equivalent Privacy (WEP). This makes these frames particularly vulnerable to attacks by unauthorized users.

Protected EAP (PEAP) is an EAP extension that addresses this security issue, and provides enhanced security during authentication. During the authentication process, PEAP first creates a more secure channel that is both encrypted and integrity-protected with TLS. Then, a new EAP negotiation with another EAP type occurs, and the network access attempt of the client is authenticated. Because the TLS channel helps to protect EAP negotiation and authentication for the network access attempt, password-based authentication protocols that are normally susceptible to an offline dictionary attack can be used for authentication in wireless environments.

Windows Embedded CE provides PEAP/MS-CHAPv2 and PEAP/TLS as part of the enhanced EAP and IEEE 802.1X support. Windows Embedded CE wireless clients can use PEAP with MS-CHAPv2 for more secure wireless access that uses password authentication instead of certificates. PEAP with MS-CHAP v2 requires that a certificate is installed on the Internet Authentication Service (IAS) server but not on the wireless client. To ensure that wireless clients can validate the IAS server certificate chain, the root Certificate Authority (CA) certificate of the CA that issued the IAS server certificate must be installed on each wireless client.

Windows Embedded CE includes the root CA certificates of many third-party CAs. If you obtain your IAS server certificate from a third-party CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. If you obtain your IAS server certificate from a third-party CA for which Windows Embedded CE does not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client.

For more information on PEAP, see Protected Extensible Authentication Protocol (PEAP).

See Also

Concepts

EAP Support

Other Resources

Extensible Authentication Protocol
Protected Extensible Authentication Protocol (PEAP)
Certificates
Certificates OS Design Development