Protected Extensible Authentication Protocol
- PEAP is also an acronym for Personal Egress Air Packs.
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.[1][2][3][4] The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.[5]
PEAP was jointly developed by
The protocol only specifies chaining multiple EAP mechanisms and not any specific method.
Overview
PEAP is similar in design to
As of May 2005, there were two PEAP sub-types certified for the updated
- PEAPv0/EAP-MSCHAPv2
- PEAPv1/EAP-GTC
PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2 and EAP-GTC refer to the inner authentication methods which provide user or device authentication. A third authentication method commonly used with PEAP is EAP-SIM.
Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and doesn't support PEAPv1, Microsoft simply calls it "PEAP" without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft only supports the EAP-MSCHAPv2 method and not the EAP-SIM method.
However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that many Cisco and other third-party server and client software don't support. PEAP-EAP-TLS requires client installation of a
PEAP has been so successful in the market place that even
PEAPv0 with EAP-MSCHAPv2
MS-CHAPv2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98.
PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is
Behind
As with other 802.1X and EAP types, dynamic encryption can be used with PEAP.
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of
Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.[11]
PEAPv1 with EAP-GTC
PEAPv1/
With no interest from Microsoft to support PEAPv1 and no promotion from Cisco, PEAPv1 authentication is rarely used.[when?] Even in Windows 7, released in late 2009, Microsoft has not added support for any other authentication system other than MSCHAPv2.
Nokia E66 and later mobile phones ship with a version of Symbian which includes EAP-GTC support.
LDAP (Lightweight Directory Access Protocol) only supports EAP-GTC.[citation needed]
References
- ^ "Understanding the updated WPA and WPA2 standards". ZDNet. 2005-06-02. Retrieved 2012-07-17.
- ^ Microsoft's PEAP version 0, draft-kamath-pppext-peapv0-00, §1.1
- ^ a b Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, abstract
- ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, §1
- ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-07, §1
- ^ Protected EAP Protocol (PEAP), draft-josefsson-pppext-eap-tls-eap-05, §2.3
- ^ Protected EAP Protocol (PEAP), draft-josefsson-pppext-eap-tls-eap-06, §2.3
- ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, §2
- ^ "End-of-Sale and End-of-Life Announcement for the Cisco Secure Services Client v4.0". Cisco. Retrieved 2021-05-04.
- ^ "Man-in-the-Middle in Tunneled Authentication Protocols" (PDF). Nokia Research Center. Retrieved 14 November 2013.
- ^ "Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate". 2016-03-16. Archived from the original on 2016-03-16. Retrieved 2022-10-19.
External links
- Kamath, Vivek; Palekar, Ashwin; Wodrich, Mark (25 October 2002). Microsoft's PEAP version 0 (Implementation in Windows XP SP1). IETF. I-D draft-kamath-pppext-peapv0-00.
- draft-josefsson-pppext-eap-tls-eap - The EAP-TLS protocol specifications