Content deleted Content added
GreenC bot (talk | contribs) Reformat 1 archive link; Move 1 url. Wayback Medic 2.5 per WP:URLREQ#zdnet.com |
|||
| (14 intermediate revisions by 14 users not shown) | |||
Line 1:
{{Short description|Protocol that encapsulates Extensible Authentication Protocol}}
: ''PEAP is also an acronym for [[Personal Egress Air Packs]].''
<span lang="English" dir="ltr">The</span> '''Protected Extensible Authentication Protocol''', also known as '''Protected EAP''' or simply '''PEAP''', is a protocol that encapsulates the [[Extensible Authentication Protocol]] (EAP) within an encrypted and authenticated [[Transport Layer Security]] (TLS) [[tunneling protocol|tunnel]].<ref>{{cite news
| url=
| title=Understanding the updated WPA and WPA2 standards
| work=ZDNet
| author=
| date=2005-06-02
|
</ref><ref>Microsoft's PEAP version 0, [//tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00], §1.1</ref><ref name="peapv2-10_abstract">Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], abstract</ref><ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], §1</ref> The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.<ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-07 draft-josefsson-pppext-eap-tls-eap-07], §1</ref>
Line 23 ⟶ 24:
PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2 and [[Extensible Authentication Protocol#EAP-GTC|EAP-GTC]] refer to the inner authentication methods which provide user or device authentication. A third authentication method commonly used with PEAP is [[Extensible Authentication Protocol#EAP-SIM|EAP-SIM]].
Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and
However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that many Cisco and other third-party server and client software
PEAP has been so successful in the market place that even [[Funk Software]] (acquired by [[Juniper Networks]] in 2005), the inventor and backer of [[EAP-TTLS]], added support for PEAP in their server and client software for wireless networks.
Line 36 ⟶ 37:
Behind [[EAP-TLS]], PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from [[Microsoft]], [[Apple Computer]] and [[Cisco Systems|Cisco]]. Other implementations exist, such as the [[xsupplicant]] from the Open1x.org project, and [[wpa_supplicant]].
As with other 802.1X and EAP types, [[dynamic encryption]] can be used with PEAP.
A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of [[MS-CHAPv2]] handshakes.<ref name="Man-in-the-Middle in Tunneled Authentication Protocols">{{cite web|title=Man-in-the-Middle in Tunneled Authentication Protocols|url=http://eprint.iacr.org/2002/163.pdf|publisher=Nokia Research Center|accessdate=14 November 2013}}</ref>
Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.<ref>{{
== PEAPv1 with EAP-GTC ==
| |||