EAP-TTLS versus PEAP
Last Post: September 17, 2004:
In the final push towards the CWSP exam - taking pracice exams anyplace I can find them.
Practice test question: Which EAP type wraps EAP in a TLS tunnel; protects EAP communications between clients and authenticators?
IMHO two of the choices are correct: EAP-TTLS and PEAP. Which means one has to be lucky to guess what the author intended.
So my question - am I incorrect that both types are correct answers to this question? Why would one answer be better than another?
As an aside, I see that Cisco ACS ver 3.2 does not support EAP-TTLS, but does support PEAP. Is this an indication that industry wide EAP-TTLS will fall by the wayside in favor of PEAP?
No one knows The Answer?
Ah come on guys. :)
Chuck, if I understand you right, you say see know difference in the two EAP solutions, correct?
-Both work in similiar ways. PEAP is a Microsoft/CISCO solution. TTLS is more wide spread across the operating system solution.
Here is a link that wil make you think some more...
I too am studying for the CWSP. Best of Success my man!
The answer probably is EAP-PEAP. Both TTLS and PEAP create a protected TLS tunnel. However TTLS uses MSCHap ver2 and older legacy authenication protocols inside the tunnel.
Cisco's flavor of PEAP uses "EAP" inside the tunnel, more specifically EAP-GTC. The question you brought up seems to asks for a solution with EAP inside the tunnel.
To further confuse matters... Microsoft's version of PEAP (Bill Gates PEAP) uses MsChap ver2 inside the tunnel.
I appreciate the responses. The link provided is very good.
Thanks to both of you :)
U R WELCOME. Best of success on the test. I failed it...BUMMER, with 58%. It is a doosie, but you can pass it.
I understand my shortcomings. Will study the guide some more and attempt again in about two weeks. I gained more insight on SECURTY of WLANs that I thought I had a hold on.
I've installed microwave radio links in the Army with encryption devices for the past 15 years so Wireless is my interest. I'm just operating at a different frequency and get mumble jumbled studying with all the acronyms and synonyms, I guess I've got to broadcast my SSID and use 128/WEP instead of 64/WEP, and analyze longer packets. My crossover cable was twisted I think!
My best advice for you on the exam is to understand different scenarios (the official Practice Test is helpful). In line with the test but not the test.
Know what an attacker might do to your network and the tools used to sniff, crack, hijack and attack the network whether it is an outsider or insider.
Know the EAP types , know what works with Radius , Keberos, and LDAP. Authentication!!!!
Know the segmentation devices- like EEGs and EWGs, Firewalls etc.
Know DES/3DES /WEP and the rest of those PESTs like AES!
Lastly,the CWNP program is one that I feel is well worth every effort. The book covers everything you need to know. USE IT!
The key to being a good technician is HANDS ON and learning by trial and error.
Once I pass the CWSP, I will continue on to the next level (CWAP). I don't have the money for all the cool toolslikw Airmagnet, but one day I hope to.
So for a moment, anyway, I am / was the world's newest CWSP.
Nice test, guys. I particularly enjoyed having to think things inside out from the practice materials I've been using ;)
Study materials were the CWSP official study guide, the book Real 802.11 Security, the CWSP practice tests from this site and from BOSON, and a couple of articles that have been posted here in various forums.
I'm not sure how much further I can go with this. The boss is insisting on more Cisco related certs for his crew. I look forward to further asociation with this group, as I find the material fascinating and useful.
Best wishes to all who are pursuing this wonderful profession.
Great job, Chuck. You have made a significant leap forward . What was your strategy to pass? I still have not. But I will, won't give up. The inspiration of others at this forum (like yourself) are our beacons to associate and authenticate till we reach the expert level.
Continued success with the CISCO tracks.
Great job, Chuck. You have made a significant leap forward . What was your strategy to pass?
I spent a LOT of time LEARNING and UNDERSTANDING security solutions and the requirements of such. Chapters 10-13 in the CWSP book. This was supplemented with most of the chapters in the Real 802.11 Security book.
I familiarized myself with chapters 1-9 in the CWSP, but I did not spend a lot of time there.
I took the BOSON tests regularly and studied why I missed questions. Same for the CWSP practice exams available on this site. I probably took each test 4-5 times.
The test is passable, but you do have to think. A number of the questions require an inside out approach. That is, if you have memorized a list of attributes, you have to apply that information in a thoughtful way. Memorization alone does not cut it.
I still have not. But I will, won't give up. The inspiration of others at this forum (like yourself) are our beacons to associate and authenticate till we reach the expert level.
Continued success with the CISCO tracks.
Wired Equivalent Privacy
First attempt at security for wireless networks
802.1x (PEAP, Cisco-LEAP, TLS, TTLS, MD5)
Provides authentication and framework for key exchange
Wi-Fi Protected Access (WPA)
Leverages 802.1x and key Ã¢Â€ÂœrefreshÃ¢Â€Â
Pre-802.11i agreement by Wi-Fi Alliance (not a IEEE 802.11 standard)
Simple on/off access with basic protection
Replaces encryption algorithm with AES
Secure, but no mobility or flexibility
Besides, Wireless security standard is a very complicated subject.
It gets even more confusing as the standards allows AP vendors to implement their own methods.
Because WEP is totally insecure, AP vendors scramble to provide a temporary fix, which is 802.1X, but it's too complicated to entry level users.
802.1X is design to implement access control Ã¢Â€Â“ separate good guys from bad guys
Technically, it has 3 components:-
Supplicant - Entity wants to access. This typically means Users or Mobile Device
Authenticator - Entity that controls access. This is usually Network Access Server or the AP
Authorizer - Entity decides whether supplicant is admitted. Typically the Radius server.
E.g. visitor knocks on door.
Boy opens, checks with you
You authorized, OK
Hoever, EAP-TLS, EAP-TTLS is better than PEAP while you depoly Roming functionalities, FYR