PEAP is similar in design to [[EAP-TTLSTLS]], requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses [[server-side]] [[public key certificate]]s to authenticate the server. It then creates an [[encryption|encrypted]] [[Transport Layer Security|TLS]] [[tunneling protocol|tunnel]] between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
As of May 2005, there were two PEAP sub-types certified for the updated [[Wi-Fi Protected Access|WPA]] and [[WPA2]] standard. They are:
