The PEAP authentication process is as follows:
1. The client associates with the AP.
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s certificate.
4. The RADIUS server authenticates the client using MS-CHAP or other means,
such as an OTP.
5. The RADIUS server and the client agree on the WEP key.
6. A secure tunnel is established between the client and the server.
An organization can use Windows logins and passwords if it has not issued certificates
to every station. RADIUS servers that support EAP-TTLS and PEAP can check LAN
access requests with Windows domain controllers, Active Directories, and other
existing user databases.
PEAP Version 0 and Version 1
There are two versions of PEAP:
• PEAP Version 0 (also known as Microsoft PEAP)
• PEAP Version 1 (also known as Cisco PEAP)
Each version supports a different method of client authentication through its TLS
tunnel. Version 0 authenticates clients using MS-CHAP Version 2. This limits user
databases to those supporting MS-CHAP Version 2, such as Active Directory.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
IEEE 802.1X Authentication 75
Version 1 (Cisco PEAP) authenticates clients using OTPs and logon passwords, which
allow OTP support from vendors and logon password databases in addition to
Microsoft databases.
In addition, Version 1 enables users to hide name identities until the TLS tunnel is
created. This ensures that usernames are not broadcast during the authentication phase.