Revision as of 10:00, 28 April 2022 edit VulcanSphere (talk \| contribs) Extended confirmed users 22,164 edits Adding local short description: "Protocol that encapsulates Extensible Authentication Protocol", overriding Wikidata description "protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated TLS tunnel" (Shortdesc helper) ← Previous edit		Revision as of 15:31, 18 August 2022 edit undo Idoghor Melody (talk \| contribs) Autopatrolled, Event coordinators, Extended confirmed users, Page movers, IP block exemptions, New page reviewers, Pending changes reviewers 38,222 edits m Clean up/General fixes, typo(s) fixed: doesn’t → doesn't (2) Tag: AWB Next edit →
Line 24: PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2 and [[Extensible Authentication Protocol#EAP-GTC\|EAP-GTC]] refer to the inner authentication methods which provide user or device authentication. A third authentication method commonly used with PEAP is [[Extensible Authentication Protocol#EAP-SIM\|EAP-SIM]]. Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and ~~doesn’t~~doesn't support PEAPv1, Microsoft simply calls it "PEAP" without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft only supports the EAP-MSCHAPv2 method and not the EAP-SIM method. However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that many Cisco and other third-party server and client software ~~don’t~~don't support. PEAP-EAP-TLS requires client installation of a [[client-side]] [[digital certificate]] or a more secure smartcard. PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS. Ultimately, PEAPv0/EAP-MSCHAPv2 is by far the most prevalent implementation of PEAP, due to the integration of PEAPv0 into [[Microsoft Windows]] products. Cisco's CSSC client (discontinued in 2008 <ref>{{Cite web\|title=End-of-Sale and End-of-Life Announcement for the Cisco Secure Services Client v4.0\|url=https://www.cisco.com/c/en/us/products/collateral/wireless/secure-services-client/EOL_c51-459086.html\|access-date=2021-05-04\|website=Cisco\|language=en}}</ref>) now supports PEAP-EAP-TLS. PEAP has been so successful in the market place that even [[Funk Software]] (acquired by [[Juniper Networks]] in 2005), the inventor and backer of [[EAP-TTLS]], added support for PEAP in their server and client software for wireless networks. Line 39: As with other 802.1X and EAP types, dynamic encryption can be used with PEAP. A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of [[MS-CHAPv2]] handshakes.<ref name="Man-in-the-Middle in Tunneled Authentication Protocols">{{cite web\|title=Man-in-the-Middle in Tunneled Authentication Protocols\|url=//eprint.iacr.org/2002/163.pdf\|publisher=Nokia Research Center\|accessdate=14 November 2013}}</ref> Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.{{Citation needed\|date=November 2016}}

Protected Extensible Authentication Protocol: Difference between revisions