Peap-Ms-Chap-V2 Security; About Keys And Certificates - D-Link DWS-1008 - AirPremier MobileLAN Switch Product Manual

PEAP performs a TLS exchange for server authentication and allows a secondary authentication to
be performed inside the resulting secure channel for client authentication. For example, the Microsoft
Challenge Handshake Authentication Protocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-
V2 authentication inside an encrypted TLS channel established by PEAP.
1. To form the encrypted TLS channel, the switch must have a digital certificate and must
send that certificate to the wireless client.
2. Inside the switch's digital certificate is the switch's public key, which the wireless client
uses to encrypt a pre-master secret key.
3. The wireless client then sends the key back to the switch so that both the switch and the
client can derive a key from this pre-master secret for secure authentication and wireless
session encryption.
Clients authenticated by PEAP need a certificate in the switch only when the switch performs PEAP
locally, not when EAP processing takes place on a RADIUS server. (For details about authentication
options, see "Configuring AAA for Network Users,".)

About Keys and Certificates

Public-private key pairs and digital signatures and certificates allow keys to be generated dynamically
so that data can be securely encrypted and delivered. You generate the key pairs and certificates on
the switch or install them on the switch after enrolling with a certificate authority (CA). The switch can
generate key pairs, self-signed certificates, and Certificate Signing Requests (CSRs), and can install
key pairs, server certificates, and certificates generated by a CA.
Note: The switch uses separate server certificates for Admin, EAP (802.1X), and WebAAA authentication.
Where applicable, the manuals refer to these server certificates as Admin, EAP (or 802.1X), or WebAAA
certificates respectively.
When the switch needs to communicate with Web View or an 802.1X or WebAAA client, MSS requests
a private key from the switch's certificate and key store:
• If no private key is available in the switch's certificate and key store, the switch does not
respond to the request from MSS. If the switch does have a private key in its key store,
MSS requests a corresponding certificate.
• If the switch has a self-signed certificate in its certificate and key store, the switch responds
to the request from MSS. If the certificate is not self-signed, the switch looks for a CA's
certificate with which to validate the server certificate.
D-Link DWS-1008 User Manual

PEAP-MS-CHAP-V2 Security