This document answers questions about Protected Extensible Authentication Protocol.
Q. What is Protected Extensible Authentication Protocol?
A. Protected Extensible Authentication Protocol (PEAP) is an 802.1X authentication type for wireless LANs (WLANs). PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on an Internet Draft (I-D) submitted by Cisco Systems®, Microsoft, and RSA Security to the IETF. Glen Zorn was the Cisco Systems® lead engineer and coauthor of this I-D.
Q. Is PEAP supported by the Cisco Unified Wireless Network, Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)?
A. Yes. The Cisco Unified Wireless Network supports several EAP authentication types, including PEAP. Like all EAP types, PEAP can be used with WPA and WPA2 networks.
Q. What is the Cisco Unified Wireless Network?
A. The Cisco Unified Wireless Network is the industry's only unified wired and wireless solution to cost-effectively address the WLAN security, deployment, management, and control issues facing enterprises. This powerful solution combines the best elements of wireless and wired networking to deliver scalable, manageable, and secure WLANs with a low total cost of ownership. It includes innovative RF capabilities that enable real-time access to core business applications and provides proven enterprise-class secure connectivity. The Cisco Unified Wireless Network delivers the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations expect from their wired LANs.
The Cisco Unified Wireless Network supports an enterprise-ready, standards-based, wireless security solution that gives network administrators' confidence that their data will remain private and secure when they use Cisco wireless products, Cisco Aironet Series products, Cisco Compatible Extensions products or Wi-Fi Certified WLAN client devices. This enterprise-class wireless security solution supports robust wireless LAN security services that closely parallel the security available in a wired LAN. It fulfills the need for consistent, reliable, and secure mobile networking by delivering industry-leading WLAN security services. It mitigates sophisticated passive and active WLAN attacks, interoperates with a range of client devices and provides reliable, scalable, centralized security management. The Cisco Unified Wireless Network allows network administrators to deploy large-scale enterprise WLANs with scalable problem-free security administration that does not increase the burden on the IT staff.
Q. Is PEAP a standard?
A. Not yet. PEAP is based on an I-D submitted to the IETF. Cisco, Microsoft, and RSA Security are actively involved in the IETF standards body supporting a standardized PEAP implementation.
Q. Where can I find information about the PEAP draft proposed to the IETF?
A. Please visit the IETF I-D Search Engine and search for "PEAP."
FEATURES AND BENEFITS
Q. What are the security benefits of PEAP?
A. PEAP provides the following security benefits:
• Relies on Transport Layer Security (TLS) to allow nonencrypted authentication types such as EAP-Generic Token Card (GTC) and One Time Password (OTP) support
• Uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication
• Allows authentication to an extended suite of directories, including Lightweight Directory Access Protocol (LDAP), Novell NDS, and OTP databases
• Uses TLS to encrypt all user-sensitive authentication information
• Supports password change at expiration
• Does not expose the logon user name in the EAP identity response
• Is not vulnerable to dictionary attacks
• Provides dynamic privacy protection when used in conjunction with Temporal Key Integrity Protocol (TKIP) or the Advanced Encryption Standard (AES)
Q. What are the enterprise benefits of PEAP?
A. PEAP is based on server-side EAP-TLS. With PEAP, organizations can avoid the issues associated with installing digital certificates on every client machine as required by EAP-TLS; instead, they can select the methods of client authentication, such as logon passwords or OTPs, that best suit their corporate needs.
Q. How does PEAP authentication work?
A. PEAP works in two phases:
• In Phase 1, server-side TLS authentication is performed to create an encrypted tunnel and achieve server-side authentication in a manner similar to Web server authentication using Secure Sockets Layer (SSL), a popular and trusted security method. Once Phase 1 of PEAP is established, all data is encrypted, including all user-sensitive information.
• The framework for PEAP Phase 2 authentication is extensible, and the client can be authenticated using methods such as EAP-GTC and Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2 within the TLS tunnel.
Q. What Cisco wireless products support PEAP?
A. A variety of Cisco wireless products support PEAP including: Cisco Aironet autonomous and lightweight access points, Cisco wireless LAN controllers and Cisco Aironet client devices. Cisco Compatible client devices running Cisco Compatible Extensions version 4 or later also support PEAP.
Q. Is PEAP authentication available on wireless clients from vendors other than Cisco?
A. Yes. PEAP authentication is allowed from any PEAP-enabled supplicants that comply with the proposed PEAP IETF I-D. Cisco encourages customers to verify support and interoperability with vendors before starting installation.
Q. Can I install both PEAP client software from Cisco and PEAP client software from Microsoft on my machine?
A. PEAP client software from Cisco is complementary to PEAP client software from Microsoft. Users may choose to install either of these PEAP implementations on their client machines. When the Cisco PEAP supplicant is installed on a client machine, it completely replaces any existing MS-CHAP Version 2 PEAP supplicant on the machine.
Q. Can I use client certificate authentication with PEAP?
A. PEAP is based on server-side EAP-TLS. Client certificate authentication is not required-only the server is authenticated using certificates.
Q. Does PEAP provide single-login to Windows domains for passwords or OTP?
A. PEAP is compatible with single-login, which is a function of the client supplicant. Single-login function may be available with third-party utilities. The Windows PEAP supplicant (PEAP/MS-CHAPv2) supports single sign-on. Cisco's PEAP/GTC supplicant does not support single sign-on.
Q. How does silent session resume work during a PEAP session?
A. PEAP supports silent session resume (also known as Fast Reconnect) when only Phase 1 of PEAP is executed. In Phase 2, the previous authentication state is reused. Users are not required to reauthenticate until the PEAP session timeout expires. The PEAP session timer is independent of the RADIUS session timer, which is used to control the volatility of dynamic encryption keys with EAP.
Q. Can I use PEAP with LDAP or Novell NDS databases?
A. Yes. PEAP provides interoperability with both LDAP and Novell NDS.
Q. What is the difference between the Microsoft PEAP supplicant and the Cisco PEAP supplicant?
A. Both supplicants support PEAP, but each supports different methods of client authentication through the TLS tunnel. The Microsoft PEAP supplicant supports client authentication by only MS-CHAP Version 2, which limits user databases to those that support MS-CHAP Version 2, such as Windows NT Domains and Active Directory. The Cisco PEAP supplicant supports client authentication by OTPs and logon passwords, enabling support for OTP databases from vendors (such as RSA Security and Secure Computing Corporation) and logon password databases (such as LDAP and Novell NDS) as well as Microsoft databases. In addition, the Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established. This provides additional confidentiality that user names are not being broadcast during the authentication phase.