1.4.3 EAP-PEAP (Protected Extensible Authentication Protocol)

The Protected Extensible Authentication Protocol (PEAP), also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security (TLS) tunnel.

The PEAP operates in two phases.
  • Phase 1 – EAP peer establishes a TLS session and authenticates with the EAP server.
  • Phase 2 – An inner method is negotiated over the TLS session of Phase 1.

There are different versions of PEAP. The ATWINC implements PEAPv0 (RFC draft-kamath-pppext-peapv0-00) and PEAPv1 (RFC draft-josefsson-pppext-eap-tls-eap-05). For Phase2 authentication, the ATWINC supports MSCHAPv2 or TLS. The following figure shows the PEAPv1 authentication process. For PEAPv0 and PEAPv1, the phase1 authentication is similar. For phase2, the format of EAP messages inside the tunnel is different for PEAPv0 and PEAPv1.

Figure 1-6. EAP-PEAP Method

The PEAP is based on server side EAP-TLS authentication. With PEAP the issues associated with installing digital certificates can be avoided on every client device as required by EAP-TLS. The user can select the methods of client authentication, such as logon passwords or OTPs, which best suit their corporate needs. PEAP is an enhancement of EAP-TLS authentication, and encapsulates a second-phase authentication transaction within the TLS framework.