PEAP
PEAP was developed by Cisco, Microsoft, and RSA Security. PEAP allows
authentication of WLAN clients without requiring certificates. This protocol simplifies
the architecture of WLAN security.
PEAP Overview
PEAP, like the competing tunneled transport layer security (TTLS), uses transport
layer security (TLS). Think of it as a stronger version of SSL, the protocol used to
secure HTTP sessions. TLS establishes an end-to-end tunnel to transmit the client’s
credentials. A certificate is required on the server.
There are two phases to PEAP functionality:
• Phase 1—Server-side TLS authentication starts, and an encrypted tunnel is
created. This creates a server-side authentication system, such as the kind used to
authenticate using SSL. When this phase is completed, all authentication data is
encrypted.
• Phase 2—The client is authenticated using either MS-CHAP Version 2 or other
authentication schemes (which are explained in the next section, “PEAP Version
0 and Version 1”).
Figure 4-4 shows how PEAP works.
Client 1 2
3
4
5
6
Access Point
RADIUS Server
74 IEEE 802.1X Authentication
Figure 4-4 The PEAP Authentication Process
The PEAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s certificate.
4. The RADIUS server authenticates the client using MS-CHAP or other means,
such as an OTP.
5. The RADIUS server and the client agree on the WEP key.
6. A secure tunnel is established between the client and the server.
An organization can use Windows logins and passwords if it has not issued certificates
to every station. RADIUS servers that support EAP-TTLS and PEAP can check LAN
access requests with Windows domain controllers, Active Directories, and other
existing user databases.
PEAP Version 0 and Version 1
There are two versions of PEAP:
• PEAP Version 0 (also known as Microsoft PEAP)
• PEAP Version 1 (also known as Cisco PEAP)
Each version supports a different method of client authentication through its TLS
tunnel. Version 0 authenticates clients using MS-CHAP Version 2. This limits user
databases to those supporting MS-CHAP Version 2, such as Active Directory.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
IEEE 802.1X Authentication 75
Version 1 (Cisco PEAP) authenticates clients using OTPs and logon passwords, which
allow OTP support from vendors and logon password databases in addition to
Microsoft databases.
In addition, Version 1 enables users to hide name identities until the TLS tunnel is
created. This ensures that usernames are not broadcast during the authentication phase.
EAP-FAST
EAP-FAST is like EAP-TLS in that it uses a certificate-like Protected Access
Credential (PAC) file for authentication, and it is like PEAP in that it authenticates the
station using a username and password via an encrypted TLS tunnel. EAP-FAST is
unique in that it is designed to speed re-authentication as stations roam among APs.
EAP-TLS and PEAP require lengthy message exchanges between the station and the
server, taking several seconds to re-authenticate. Applications that are not latency
sensitive do not need to worry much about this; however, applications that are sensitive
to latency (such as voice over IP) suffer if re-authentication takes more than a few
milliseconds.
EAP-FAST uses shared secret keys to accelerate the re-authentication process. Public
keys are convenient because the station and AP can authenticate each other without
having to know each other in advance. (Public keys are used when connecting to a
secure website, for instance.) Secret keys are faster, but require that both the station and
the AP already have the secret key. Figure 4-5 shows how EAP-FAST works.
Figure 4-5 The EAP-FAST Authentication Process
The EAP-FAST authentication process is as follows:
1. The client associates with the AP.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
76 IEEE 802.1X Authentication
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s credentials with the shared secret key.
4. The RADIUS server authenticates the client with the shared secret key.
5. The RADIUS server and the client agree on the WEP key.
6. A secure connection is established.