: ''PEAP is also an acronym for
Personal Egress Air Packs
Personal Egress Air Packs, or PEAPs, were devices on board a Space Shuttle that provided crew members with about six minutes of breathable air in the case of a mishap while the vehicle was still on the ground. PEAPs did not provide pressurized a ...
.''
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
(EAP) within an encrypted and authenticated
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS)
tunnel
A tunnel is an underground passageway, dug through surrounding soil, earth or rock, and enclosed except for the entrance and exit, commonly at each end. A pipeline is not a tunnel, though some recent tunnels have used immersed tube cons ...
.
[Protected EAP Protocol (PEAP) Version 2, /tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10 abstract] The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEAP was jointly developed by
Cisco Systems
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...
,
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
, and
RSA Security
RSA Security LLC, formerly RSA Security, Inc. and doing business as RSA, is an American computer and network security company with a focus on encryption and encryption standards. RSA was named after the initials of its co-founders, Ron Rivest, ...
. PEAPv0 was the version included with
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...
and was nominally defined in
/tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00 PEAPv1 and PEAPv2 were defined in different versions of ''draft-josefsson-pppext-eap-tls-eap''. PEAPv1 was defined in
/tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-00 draft-josefsson-pppext-eap-tls-eap-00through
/tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-05 draft-josefsson-pppext-eap-tls-eap-05 and PEAPv2 was defined in versions beginning with
/tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-06 draft-josefsson-pppext-eap-tls-eap-06
The protocol only specifies chaining multiple EAP mechanisms and not any specific method.
However, use of the
EAP-MSCHAPv2
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypte ...
and
EAP-GTC
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypte ...
methods are the most commonly supported.
Overview
PEAP is similar in design to
EAP-TTLS
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses
server-side
In the client–server model, server-side refers to programs and operations that run on the server. This is in contrast to client-side programs and operations which run on the client.
General concepts
Typically, a server is a computer application ...
public key certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...
s to authenticate the server. It then creates an
encrypted
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
TLS tunnel
A tunnel is an underground passageway, dug through surrounding soil, earth or rock, and enclosed except for the entrance and exit, commonly at each end. A pipeline is not a tunnel, though some recent tunnels have used immersed tube cons ...
between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
As of May 2005, there were two PEAP sub-types certified for the updated
WPA
WPA may refer to:
Computing
*Wi-Fi Protected Access, a wireless encryption standard
*Windows Product Activation, in Microsoft software licensing
* Wireless Public Alerting (Alert Ready), emergency alerts over LTE in Canada
* Windows Performance An ...
and
WPA2
Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security and security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The All ...
standard. They are:
* PEAPv0/EAP-MSCHAPv2
* PEAPv1/EAP-GTC
PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2 and
EAP-GTC
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypte ...
refer to the inner authentication methods which provide user or device authentication. A third authentication method commonly used with PEAP is
EAP-SIM
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
.
Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and doesn't support PEAPv1, Microsoft simply calls it "PEAP" without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft only supports the EAP-MSCHAPv2 method and not the EAP-SIM method.
However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that many Cisco and other third-party server and client software don't support. PEAP-EAP-TLS requires client installation of a
client-side
Client-side refers to operations that are performed by the client in a client–server relationship in a computer network.
General concepts
Typically, a client is a computer application, such as a web browser, that runs on a user's local compute ...
digital certificate
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes information about the key, i ...
or a more secure smartcard. PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS. Ultimately, PEAPv0/EAP-MSCHAPv2 is by far the most prevalent implementation of PEAP, due to the integration of PEAPv0 into
Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
products. Cisco's CSSC client (discontinued in 2008 ) now supports PEAP-EAP-TLS.
PEAP has been so successful in the market place that even
Funk Software
Funk Software was a US-based company that was acquired by Juniper Networks in 2005 for US$ 122 million. The company was founded in 1982 by Paul Funk, and was headquartered in Cambridge, Massachusetts.
The company first became well known in the ...
(acquired by
Juniper Networks
Juniper Networks, Inc. is an American multinational corporation headquartered in Sunnyvale, California. The company develops and markets networking products, including routers, switches, network management software, network security products, ...
in 2005), the inventor and backer of
EAP-TTLS
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
, added support for PEAP in their server and client software for wireless networks.
PEAPv0 with EAP-MSCHAPv2
MS-CHAPv2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98.
PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
's
Challenge Handshake Authentication Protocol, meaning it allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory.
Behind
EAP-TLS
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
,
Apple Computer
Apple Inc. is an American multinational technology company headquartered in Cupertino, California, United States. Apple is the largest technology company by revenue (totaling in 2021) and, as of June 2022, is the world's biggest company b ...
and
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
. Other implementations exist, such as the
xsupplicant
Xsupplicant is a supplicant that allows a workstation to authenticate with a RADIUS server using 802.1X and the Extensible Authentication Protocol (EAP). It can be used for computers with wired or wireless LAN connections to complete a strong aut ...
from the Open1x.org project, and
wpa_supplicant
wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD, QNX, AROS, Microsoft Windows, Solaris, OS/2 (including ArcaOS and eComStation) and Haiku. In addition to being a WPA3 and WPA2 s ...
.
As with other 802.1X and EAP types, dynamic encryption can be used with PEAP.
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of
MS-CHAPv2 MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with pptp3-fix that was in ...
handshakes.
Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.
PEAPv1 with EAP-GTC
PEAPv1/
EAP-GTC
: ''PEAP is also an acronym for Personal Egress Air Packs.''
Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypte ...
was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel. Even though Microsoft co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-GTC has no native
Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
OS support. Since Cisco has typically recommended lightweight EAP protocols such as
LEAP and
EAP-FAST
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by .
EAP is an authentication framework for providing the transport ...
protocols instead of PEAP, the latter has not been as widely adopted as some had hoped.
With no interest from Microsoft to support PEAPv1 and no promotion from Cisco, PEAPv1 authentication is rarely used.
Even in
Windows 7
Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...
, released in late 2009, Microsoft has not added support for any other authentication system other than MSCHAPv2.
Nokia E66
The Nokia E66 is a slider smartphone in the Nokia Eseries range, a S60 platform third edition device with slide action targeting business users. It is a successor to the Nokia E65 with which it shares many features.
E66 has similar features to t ...
and later mobile phones ship with a version of
Symbian
Symbian is a discontinued mobile operating system
A mobile operating system is an operating system for mobile phones, tablets, smartwatches, smartglasses, or other non-laptop personal mobile computing devices. While computers such as typic ...
which includes EAP-GTC support.
LDAP (Lightweight Directory Access Protocol) only supports EAP-GTC.
References
External links
*
draft-josefsson-pppext-eap-tls-eap- The EAP-TLS protocol specifications
{{Authentication APIs
Open standards
Computer access control protocols
Transport Layer Security