Protected Extensible Authentication Protocol (PEAP)
A version of this page is also available for
4/8/2010
PEAP is an EAP extension for Windows Embedded CE that enhances the security of the authentication phase. PEAP provides the security framework for mutual authentication between an EAP client and an EAP server. PEAP is not as secure as Transport Level Security (TLS), but has the advantage of being able to use username/password authentication instead of client certificate authentication.
PEAP authentication occurs as a two-part conversation between the EAP client and the EAP server. In the first part of the conversation, TLS is used to establish a secure channel for use in the second part of the authentication. During this process, the server sends the client a certificate, which the client uses to authenticate the server. The client does NOT send a certificate to the server; this would happen in a standard EAP-TLS authentication. Once the client authenticates the server and the secure channel is established, the second part of the PEAP conversation begins. In this second part, a complete EAP conversation occurs within the secure channel, for example EAP-MSCHAPv2 username/password based authentication. PEAP authentication succeeds if both parts of the authentication succeed.
Because PEAP uses TLS, many parts of TLS are available for PEAP implementations. The TLS session resumption facility can be used for PEAP conversations. This allows for quick re-authentication while roaming on a wireless network. The TLS channel also provides enhanced security for the authentication process because it helps to protect the client identity and helps prevent attackers from injecting packets into the conversation. However, security issues found in TLS will also be found in PEAP.
Implementation
PEAP is part of the EAPTLS module and uses MS CHAP V2 support; therefore, both the EAPTLS and EAPCHAP modules must be included in a build that supports PEAP.
The option to use PEAP for authentication is set during RAS or 802.1x configuration. When creating a new connection for a Windows Embedded CE device, the security settings screen is used to implement PEAP. In the security settings screen, select the use Extensible Authentication Protocol (EAP) check box and select PEAP from the drop-down list.
Note
Support for all TLS ciphersuites is not required to use PEAP. The only ciphersuites that must be supported are TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA. Additionally, the ciphersuite that is negotiated only relates to the second part of the PEAP conversation.
Registry Settings
The following example shows the registry settings for PEAP.
[HKEY_LOCAL_MACHINE\Comm\EAP\Extension\25]
"FriendlyName"="PEAP"
"InvokeUserNameDialog"=dword:1
"ConfigUIPath"="eaptls.dll"
"Path"="eaptls.dll"
"InteractiveUIPath"="eaptls.dll"
"EAPMSCHAPv2Only"=dword:1
See Also
Concepts
EAP Authentication Protocols
Transport Level Security (TLS)
EAP Application Development