Forum

I have a couple of questions about a few entries in the EAP Comparison Chart. This chart is a matrix of EAP and PEAP types versus supported features. For those unfamiliar with it, it can be found in the Coleman/Westcott CWNA (Sybex) text, pages 368-369 and in "Wireless LAN Security Courseware v3.0", page 141. Maybe others have these same questions so I decided to post them.

Q1. PEAP using EAP-GTC [PEAP(EAP-GTC) in the chart] is shown as not providing man-in-the-middle protection. Now, it is my understanding that a primary defense against MitM is mutual authentication. However, PEAP(EAP-GTC)is listed as supporting mutual authentication in this chart. Clearly this is a contradiction. What am I missing? Discussions of PEAP(EAP-GTC) are very brief or nonexistent in the texts that I have, but it is my understanding that mutual authentication is a fundamental characteristic of all EAP types, with the exception of MD5.

Q2. The entry "N/A" is shown four times in the chart. Assuming this means "not applicable" (the meaning is not defined), its appearance raises questions. For example, the PEAP(EAP-TLS)/Dictionary attack resistance entry is "N/A" while EAP-TLS itself is shown as having resistance to that attack. What gives? Similar questions can be asked about the other "N/A" entries. Not applicable? Why not?

Any direction that readers can provide will be very appreciated!

Tom

Q1. PEAP using EAP-GTC [PEAP(EAP-GTC) in the chart] is shown as not providing man-in-the-middle protection. Now, it is my understanding that a primary defense against MitM is mutual authentication. However, PEAP(EAP-GTC)is listed as supporting mutual authentication in this chart. Clearly this is a contradictio

That is a mistake in the chart that will get fixed in the 2nd edition of the book. PEAP(ver1)- EAP-GTC is NOT susceptible to MitM attacks

Q2. The entry "N/A" is shown four times in the chart. Assuming this means "not applicable" (the meaning is not defined), its appearance raises questions. For example, the PEAP(EAP-TLS)/Dictionary attack resistance entry is "N/A" while EAP-TLS itself is shown as having resistance to that attack. What gives? Similar questions can be asked about the other "N/A" entries. Not applicable? Why not

These are debatable. Both EAP-TLS and PEAP(ver0)-EAP-TLS require a client side certificate as the main client creditional, so offline dictionary attacks are not really an issue. But you can say that both types of EAP are resistant to those attacks.

EAP-MD5 and LEAP are both VERY susceptible to offline dictionary attacks. Also the optional Automatic PAC provisioning used in PHASE 0 of EAP-FAST is also susceptible to such an attack.

Thank you for the prompt reply!