Protected Extensible Authentication Protocol


Protected Extensible Authentication Protocol

: "PEAP is also an acronym for Personal Egress Air Packs."

Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP (pronounced "peep"), is a method to securely transmit authentication information, including passwords, over wired or wireless networks. It was jointly developed by Cisco Systems, Microsoft, and RSA Security. Note that PEAP is not an encryption protocol; as with other EAP types it only authenticates a client into a network.

PEAP uses server-side public key certificates to authenticate the server. It then creates an encrypted SSL/TLS tunnel between the client and the authentication server. The ensuing exchange of authentication information to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

PEAP is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. It is already widely available in products, and provides very good security. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication.

As of May 2005, there were two PEAP sub-types certified for the updated WPA and WPA2 standard. They are:
* PEAPv0/EAP-MSCHAPv2
* PEAPv1/EAP-GTC

PEAPv0/EAP-MSCHAPv2

PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is Microsoft's Challenge Handshake Authentication Protocol.

Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from Microsoft, Apple Computer and Cisco. Other implementations exist such as the xsupplicant from the Open1x.org project

PEAPv1/EAP-GTC

PEAPv1/EAP-GTC was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel. Even though Microsoft co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-GTC has no native Windows OS support. Since Cisco has typically recommended lightweight EAP protocols such as LEAP and EAP-FAST protocols instead of PEAP, PEAP has not been as widely adopted as some had hoped. With no interest from Microsoft to support PEAPv1 and no promotion from Cisco, PEAPv1 authentication is rarely used. There is no native operating system support for this EAP protocol.

Note: The PEAP standard was created by Microsoft, Cisco, and RSA after EAP-TTLS had already come on the market. Even with its late start, Microsoft’s and Cisco’s size allowed them to quickly overtake EAP-TTLS in the market. Microsoft and Cisco parted ways when Microsoft only supported the PEAPv0 standard while Cisco supported both PEAPv0 and PEAPv1.

PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2, EAP-GTC, and EAP-SIM refer to the inner authentication methods which provide user or device authentication. From Cisco’s perspective, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and doesn’t support PEAPv1, Microsoft simply calls PEAPv0 PEAP without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft supports only PEAPv0/EAP-MSCHAPv2 mode and not PEAPv0/EAP-SIM mode.

However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that Cisco and other third-party server and client software don’t support. PEAP-EAP-TLS requires client installation of a client-side digital certificate or a more secure smartcard. PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS. Since few third-party clients and servers support PEAP-EAP-TLS, users should probably avoid it unless they only intend to use Microsoft desktop clients and servers. Ultimately, PEAPv0/EAP-MSCHAPv2 is by far the most prevalent implementation of PEAP, due to the integration of PEAPv0 into Windows XP and Windows Vista (via a supplied supplicant program).

PEAP has been so successful in the market place that even Funk Software, the inventor and backer of EAP-TTLS, had no choice but to support PEAP in their server and client software for wireless networks.

References

* [http://blogs.zdnet.com/Ou/index.php?p=67 http://blogs.zdnet.com/Ou/index.php?p=67] - Understanding the updated WPA and WPA2 standards.

External links

* [http://www.watersprings.org/pub/id/draft-kamath-pppext-peapv0-00.txt draft-kamath-pppext-peapv0] - Microsoft's PEAP version 0
* [http://www.potaroo.net/ietf/idref/draft-josefsson-pppext-eap-tls-eap/ draft-josefsson-pppext-eap-tls-eap] - The EAP-TLS protocol specifications
* [http://articles.techrepublic.com.com/5100-1035-6148579.html Configure RADIUS for secure 802.1x wireless LAN]
* [http://articles.techrepublic.com.com/5100-1035-6148560.html How to self-sign a RADIUS server for secure PEAP or EAP-TTLS authentication]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Protected Extensible Authentication Protocol — Protected Extensible Authentication Protocol, Protected EAP, ou plus simplement PEAP, est une méthode de transfert sécurisée d informations d authentification, créée au départ pour les réseaux sans fil. Ce protocole a été développé conjointement… …   Wikipédia en Français

  • Extensible Authentication Protocol — Pour les articles homonymes, voir EAP. Extensible Authentication Protocol (EAP) est un mécanisme d identification universel, fréquemment utilisé dans les réseaux sans fil (ex : de type Wi Fi) et les liaisons point à point. Sommaire 1… …   Wikipédia en Français

  • Extensible Authentication Protocol — Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point to Point connections. It is defined in RFC 3748, which has been updated by RFC 5247. Although the EAP protocol is… …   Wikipedia

  • Lightweight Extensible Authentication Protocol — The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a… …   Wikipedia

  • Authentication protocol — An authentication protocol is a type of cryptographic protocol with the purpose of authenticating entities wishing to communicate securely.Authentication protocol may refer to: * Challenge handshake authentication protocol (CHAP) * Extensible… …   Wikipedia

  • Diameter (protocol) — Internet protocol suite Application layer BGP DHCP DNS FTP HTTP …   Wikipedia

  • Wi-Fi Protected Access — (WPA and WPA2) is a certification program administered by the Wi Fi Alliance to indicate compliance with the security protocol created by the Wi Fi Alliance to secure wireless computer networks. This protocol was created in response to several… …   Wikipedia

  • Wi-Fi protected access — (WPA et WPA2) est un mécanisme pour sécuriser les réseaux sans fil de type Wi Fi. Il a été créé en réponse aux nombreuses et sévères faiblesses que des chercheurs ont trouvées dans le mécanisme précédent, le WEP. WPA respecte la majorité de la… …   Wikipédia en Français

  • Wi-fi protected access — (WPA et WPA2) est un mécanisme pour sécuriser les réseaux sans fil de type Wi Fi. Il a été créé en réponse aux nombreuses et sévères faiblesses que des chercheurs ont trouvées dans le mécanisme précédent, le WEP. WPA respecte la majorité de la… …   Wikipédia en Français

  • Wi-Fi Protected Access — (WPA et WPA2) est un mécanisme pour sécuriser les réseaux sans fil de type Wi Fi. Il a été créé en réponse aux nombreuses et sévères faiblesses que des chercheurs ont trouvées dans le mécanisme précédent, le WEP. WPA respecte la majorité de la… …   Wikipédia en Français