Managing Keys and Certificates 381Nortel WLAN Security Switch 2300 Series Configuration GuidePEAP-MS-CHAP-V2 SecurityPEAP performs a TLS exchange for server authentication and allows a secondary authentication to be performed insidethe resulting secure channel for client authentication. For example, the Microsoft Challenge Handshake AuthenticationProtocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-V2 authentication inside an encrypted TLS channelestablished by PEAP.1 To form the encrypted TLS channel, the WSS must have a digital certificate and must send that certificateto the wireless client.2 Inside the WSS switch’s digital certificate is the WSS’s public key, which the wireless client uses toencrypt a pre-master secret key.3 The wireless client then sends the key back to the WSS so that both the WSS and the client can derive akey from this pre-master secret for secure authentication and wireless session encryption.Clients authenticated by PEAP need a certificate in the WSS only when the switch performs PEAP locally, not whenEAP processing takes place on a RADIUS server. (For details about authentication options, see Chapter , “ConfiguringAAA for Network Users,” on page 401.)About Keys and CertificatesPublic-private key pairs and digital signatures and certificates allow keys to be generated dynamically so that data can besecurely encrypted and delivered. You generate the key pairs and certificates on the WSS or install them on the switchafter enrolling with a certificate authority (CA). The WSS can generate key pairs, self-signed certificates, and CertificateSigning Requests (CSRs), and can install key pairs, server certificates, and certificates generated by a CA.When the WSS needs to communicate with WLAN Management Software , Web View, or an 802.1X or Web-basedAAA client, WSS Software requests a private key from the switch’s certificate and key store:• If no private key is available in the WSS’s certificate and key store, the switch does not respond to the request fromWSS Software. If the switch does have a private key in its key store, WSS Software requests a correspondingcertificate.• If the WSS has a self-signed certificate in its certificate and key store, the switch responds to the request from WSSSoftware. If the certificate is not self-signed, the switch looks for a CA’s certificate with which to validate theserver certificate.• If the WSS has no corresponding CA certificate, the switch does not respond to the request from WSS Software. Ifthe switch does have a corresponding CA certificate, and the server certificate is validated (date still valid, signatureapproved), the switch responds.If the WSS switch does not respond to the request from WSS Software, authentication fails and access is denied.For EAP (802.1X) users, the public-private key pairs and digital certificates can be stored on a RADIUS server. In thiscase, the WSS switch operates as a pass-through authenticator.Note. The WSS uses separate server certificates for Admin, EAP (802.1X), andWeb AAA authentication. Where applicable, the manuals refer to these server certificatesas Admin, EAP (or 802.1X), or Web AAA certificates respectively.