Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 11

PEAP PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

PEAP. Protected Extensible Authentication Protocol. What is PEAP?. PEAP is an authentication protocol designed for wireless LANs PEAP makes use of 2 well known and well studied protocols EAP - Extensible Authentication Protocol TLS - Transport Layer Security.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Slide1 l.jpg


Protected Extensible Authentication Protocol

What is peap l.jpg

What is PEAP?

  • PEAP is an authentication protocol designed for wireless LANs

  • PEAP makes use of 2 well known and well studied protocols

    • EAP - Extensible Authentication Protocol

    • TLS - Transport Layer Security

Eap extensible authentication protocol l.jpg

EAP – Extensible Authentication Protocol

  • EAP is an authentication protocol that typically rides on top of another protocol such as 802.1x, RADIUS, PPP, etc.

  • EAP allows the authenticator to serve as the user authentication carrier between the client and the authentication server.

  • EAP limitations are well known and resolved by PEAP.

Tls transport layer security l.jpg

TLS – Transport Layer Security

  • TLS provides the encryption, compression and data integrity.

  • TLS is based on the SSL 3.0 Protocol Specification and is often described as a improved version of SSL.

  • TLS is well documented and has been extensively analyzed with no significant weaknesses found.

Why do we need peap l.jpg

Why do we need PEAP?

  • A wireless access point (WAP) broadcasts all of its traffic so that anyone within broadcast range can passively collect the data. (Ethereal, AirSnort)

  • Wireless encryption is weak and can be decrypted in a short period of time. (AirSnort, WEPcrack)

  • Physical access of the network is not necessary to connect to the network. Knowledge of the SSID and possibly a valid MAC address is all that is required. (NetStumbler)

  • Users have no way of knowing if they are connecting to a rogue access point setup as part of a man-in-the-middle attack.

How does peap fix these problems l.jpg

How does PEAP fix these problems?

  • The transmission of user-sensitive authentication data is encrypted within a TLS tunnel.

  • Data within the TLS tunnel cannot be decrypted without the TLS master secret.

  • If a client does not successfully authenticate, its connection is dropped by the access point.

  • The TLS master secret is not shared with the access point, so rogue access points will be unable to decrypt messages protected by PEAP.

  • Server-side Public-Key Infrastructure based digital certificates are used to authenticate EAP Servers.

How does peap work l.jpg

How does PEAP work?

  • Part 1 – Establish TLS tunnel



EAP Server

Authentication Server

Request Connection

Request Connection

Do you support PEAP?


Server PKI certificate & server’s TLS preferences

Certificate verified & client’s TLS preferences or OK

TLS settings accepted & TLS finished

  • TLS tunnel established

How does peap work8 l.jpg

How does PEAP work?

  • Part 2 – EAP authentication within the TLS tunnel



EAP Server

Authentication Server

Response to TLS tunnel established

Request client’s identity

Client’s identity (tells server domain to contact)

Server’s requested EAP authentication type

Client’s requested EAP authentication type or OK

EAP method accepted, request authentication

Client’s UserID and Password

UserID & password

EAP authentication success


  • TLS tunnel torn down

Peap fast reconnect l.jpg

PEAP fast reconnect

  • Allows wireless clients to move between access points on the same network without repeated requests for authentication.

  • Requires that access points be configured to forward authentication requests to the same EAP server. If the original EAP server is not available, full authentication must occur.

  • TLS session IDs are cached by the client and server. Because the server only caches TLS session IDs that successfully authenticate in part 2, if the client can reestablish the TLS session, it is not necessary to re-authenticate the client against the authentication server.

Security concerns l.jpg

Security concerns

  • Authentication data transmitted between the NAS and the authentication server is not encrypted by the TLS tunnel. This channel must be protected from man-in-the-middle attacks.

  • Data transmitted after PEAP authentication is not encrypted. The TLS tunnel is only used for authentication.

  • Implementation of PEAP must be setup correctly. Poor configuration can allow for several severe vulnerabilities.

References l.jpg









  • Login