Protected Extensible Authentication Protocol (PEAP)
Definition
Protected Extensible Authentication Protocol (PEAP) is a security protocol for wireless local area networks (WLANs) that provides secure authentication and encryption for data transmitted over the network. PEAP is an enhancement of the Extensible Authentication Protocol (EAP), which is a general-purpose authentication framework used in various network protocols. PEAP was jointly developed by Microsoft, Cisco Systems, and RSA Security, aiming to address some of the security vulnerabilities in the original EAP.
Purpose and Role
The purpose of PEAP is to provide a more secure authentication method for wireless networks by addressing some of the weaknesses of EAP. The role of PEAP in network security includes:
- Encapsulation: PEAP encapsulates EAP messages within a Transport Layer Security (TLS) tunnel, which provides an encrypted and secure channel for exchanging authentication information.
- Server-side authentication: PEAP provides server-side authentication, where the server presents a digital certificate to prove its identity to the client. This helps prevent man-in-the-middle attacks and other security threats.
- Password-based authentication: PEAP supports password-based authentication methods, such as EAP-MSCHAPv2, which allows users to authenticate with their usernames and passwords.
- Fast reconnect: PEAP includes a fast reconnect feature that enables clients to re-authenticate quickly with the authentication server without the need to perform a full TLS handshake.
Components
PEAP consists of several components that work together to provide secure authentication:
- EAP: The Extensible Authentication Protocol is the underlying framework used to support various authentication methods.
- TLS: Transport Layer Security is a cryptographic protocol that provides secure communication over a network. In PEAP, it is used to establish an encrypted tunnel for exchanging authentication information.
- Inner authentication methods: PEAP supports multiple inner authentication methods, such as EAP-MSCHAPv2 and EAP-GTC, which are used to authenticate the client within the TLS tunnel.
- Digital certificates: PEAP requires the authentication server to present a digital certificate to prove its identity to the client.
Importance
PEAP is important in wireless network security for the following reasons:
- Enhanced security: By encapsulating EAP messages within a TLS tunnel, PEAP provides additional protection against eavesdropping and man-in-the-middle attacks.
- Server-side authentication: PEAP's server-side authentication helps ensure that clients are connecting to a legitimate authentication server, reducing the risk of security breaches.
- Password-based authentication: PEAP's support for password-based authentication methods makes it easier for users to authenticate using their existing credentials.
- Widespread adoption: Due to its enhanced security features and the backing of major companies like Microsoft, Cisco, and RSA Security, PEAP has become a popular choice for securing wireless networks.
Example
A company wants to deploy a secure wireless network for its employees. It decides to use PEAP to provide secure authentication for users connecting to the network. The company's authentication server is configured with a digital certificate to prove its identity, and the employees are provided with usernames and passwords for authentication.
When an employee connects to the wireless network, the authentication server presents its digital certificate to the client. The client verifies the certificate and then establishes a TLS tunnel with the server. The employee's username and password are sent securely within the TLS tunnel using the EAP-MSCHAPv2 authentication method. Once the server verifies the user's credentials, the client is granted access to the wireless network.