Managing keys and certificates 445Nortel WLAN—Security Switch 2300 Series Configuration GuidePEAP-MS-CHAP-V2 securityPEAP performs a TLS exchange for server authentication and allows a secondary authentication to beperformed inside the resulting secure channel for client authentication. For example, the Microsoft ChallengeHandshake Authentication Protocol version 2 (MS-CHAP-V2) performs mutual MS-CHAP-V2 authenticationinside an encrypted TLS channel established by PEAP.1 To form the encrypted TLS channel, the WSS must have a digital certificate and must send thatcertificate to the wireless client.2 Inside the WSS’s digital certificate is the WSS’s public key, which the wireless client uses toencrypt a pre-master secret key.3 The wireless client then sends the key back to the WSS so that both the WSS and the client canderive a key from this pre-master secret for secure authentication and wireless sessionencryption.Clients authenticated by PEAP need a certificate in the WSS only when the switch performs PEAP locally, notwhen EAP processing takes place on a RADIUS server. (For details about authentication options, see “Config-uring AAA for network users” (page 467).)About keys and certificatesPublic-private key pairs and digital signatures and certificates allow keys to be generated dynamically so thatdata can be securely encrypted and delivered. You generate the key pairs and certificates on the WSS or installthem on the switch after enrolling with a certificate authority (CA). The WSS can generate key pairs,self-signed certificates, and Certificate Signing Requests (CSRs), and can install key pairs, server certificates,and certificates generated by a CA.When the WSS needs to communicate with WLAN Management Software, Web View, or an 802.1X orWeb-based AAA client, WSS Software requests a private key from the switch’s certificate and key store:• If no private key is available in the WSS’s certificate and key store, the switch does not respond to therequest from WSS Software. If the switch does have a private key in its key store, WSS Software requestsa corresponding certificate.• If the WSS has a self-signed certificate in its certificate and key store, the switch responds to the requestfrom WSS Software. If the certificate is not self-signed, the switch looks for a CA’s certificate with whichto validate the server certificate.• If the WSS has no corresponding CA certificate, the switch does not respond to the request from WSSSoftware. If the switch does have a corresponding CA certificate, and the server certificate is validated(date still valid, signature approved), the switch responds.If the WSS does not respond to the request from WSS Software, authentication fails and access is denied.Note. The WSS uses separate server certificates for Admin, EAP (802.1X), andWeb-based AAA authentication. Where applicable, the manuals refer to these servercertificates as Admin, EAP (or 802.1X), or Web-based AAA certificates respectively.