PEAP (Protected Extensible Authentication Protocol)

What is PEAP? PEAP (Protected Extensible Authentication Protocol) is a version of EAP, the authentication protocol used in wireless networks and Point-to-Point connections. PEAP is designed to provide more secure authentication for 802.11 WLANs (wireless local area networks) that support 802.1X port access control.

PEAP authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN stations and the authentication server can authenticate themselves. Each station gets an individual encryption key. When used in conjunction with Temporal Key Integrity Protocol (TKIP), each key has a finite lifetime.

Cisco Systems, Microsoft and RSA Security are promoting PEAP as an Internet standard. Currently in draft status, the protocol is gaining support and is expected to displace Cisco's proprietary Lightweight Extensible Authentication Protocol (LEAP).

PEAP addresses the shortcomings of 802.11 security, shared key authentication being chief among these. Weaknesses in 802.11 Wired Equivalent Privacy (WEP) allow an attacker to capture encrypted frames and analyze them to determine the encryption key. (In this system, the same shared key is used for both authentication and encryption.) With the shared key, the attacker can decrypt frames or pose as a legitimate user.