|
: ''PEAP is also an acronym for [[Personal Egress Air Packs]].''
The '''Protected Extensible Authentication Protocol''', also known as '''Protected EAP''' or simply '''PEAP''', is a protocol that encapsulates the [[Extensible Authentication Protocol]] (EAP) within an encrypted and authenticated [[Transport Layer Security]] (TLS) [[tunneling protocol|tunnel]].<ref>{{cite news
| url=http://www.zdnet.com/blog/ou/understanding-the-updated-wpa-and-wpa2-standards/67
| title=Understanding the updated WPA and WPA2 standards
| work=ZDNet
| author=
| date=2005-06-02
| accessdate=2012-07-17 }}
</ref><ref>Microsoft's PEAP version 0, [//tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00], §1.1</ref><ref name="peapv2-10_abstract">Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], abstract</ref><ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], §1</ref> The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.<ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-07 draft-josefsson-pppext-eap-tls-eap-07], §1</ref>
PEAP was jointly developed by [[Cisco Systems]], [[Microsoft]], and [[RSA Security]]. PEAPv0 was the version included with [[Microsoft]] [[Windows XP]] and was nominally defined in [//tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00]. PEAPv1 and PEAPv2 were defined in different versions of ''draft-josefsson-pppext-eap-tls-eap''. PEAPv1 was defined in [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-00 draft-josefsson-pppext-eap-tls-eap-00] through [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-05 draft-josefsson-pppext-eap-tls-eap-05],<ref>Protected EAP Protocol (PEAP), [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-05 draft-josefsson-pppext-eap-tls-eap-05], §2.3</ref> and PEAPv2 was defined in versions beginning with [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-06 draft-josefsson-pppext-eap-tls-eap-06].<ref>Protected EAP Protocol (PEAP), [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-06 draft-josefsson-pppext-eap-tls-eap-06], §2.3</ref>
The protocol only specifies chaining multiple EAP mechanisms and not any specific method.<ref name="peapv2-10_abstract"/><ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], §2</ref> However, use of the [[EAP-MSCHAPv2]] and [[EAP-GTC]] methods are the most commonly supported.{{Citation needed|date=April 2010}}
==Overview==
PEAP is similar in design to [[EAP-TTLS]], requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses [[server-side]] [[public key certificate]]s to authenticate the server. It then creates an [[encryption|encrypted]] [[Transport Layer Security|TLS]] [[tunneling protocol|tunnel]] between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
| 