The Advantages of Protected Extensible Authentication

Protocol (PEAP): A Standard Approach to User

Authentication for IEEE 802.11 Wireless Network Access

Positioning Paper
Microsoft Corporation
Published: June 2003

Abstract

Wireless network access is becoming commonplace, and users, network providers, and enterprise
security managers have a corresponding requirement for a standards-based approach to user
authentication. The standards you adopt within your enterprise should address the specific security
requirements of wireless network access, and should allow for the continued use and natural extension
of much of the existing user authentication infrastructure. Microsoft has been instrumental in the
development of Protected Extensible Authentication Protocol (PEAP), a draft standard for a common
approach to wireless-network user authentication. The PEAP proposal is supported under the security
framework of the Institute of Electrical and Electronics Engineers (IEEE) 802.1X specification, and has
been submitted to the Internet Engineering Task Force (IETF) for consideration as a standard protocol.

This paper provides background on the efforts of IEEE and IETF to address secure wireless access and
compares PEAP with other standards-based and proprietary schemes. The paper also makes a case for using
standards-based protocols, and describes why PEAP is the best common authentication method for wireless
network access.
 Microsoft® Windows Server™ 2003 White Paper

This is a preliminary document and may be changed substantially prior to

final commercial release of the software described herein. The information
contained in this document represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because
Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date
of publication.
This Positioning Paper is for informational purposes only. MICROSOFT
MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE
INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Without limiting the rights under copyright, no part of this document may be
reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording,
or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or
other intellectual property rights covering subject matter in this document.
Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events

depicted herein are fictitious. No association with any real company,
organization, product, person or event is intended or should be inferred.
© 2003 Microsoft Corporation. All rights reserved.

Microsoft, Windows NT, Active Directory, and Windows are registered

trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
Contents
Contents......................................................................................................................................................... ...1

Introduction................................................................................................................................ ......................2

The Introduction of 802.1X to Improve Wireless Network Security..................................................... ............2

Extensible Authentication Protocol for Wireless Authentication................................................ ......................2

Guidelines for Choosing an 802.1X Authentication Scheme ................................................................ .....4

Authentication Schemes Available for 802.1X-Compliant Networks...................................... .....................5

Authentication Schemes Based on EAP-TLS................................................................................. ................5

EAP-TLS..................................................................................................................................... ................5
Protected Extensible Authentication Protocol........................................................................................ ......5

Authentication Schemes Not Based on EAP-TLS.......................................................................................... .7

EAP-MD5 ................................................................................................................................... ................7

Lightweight Extended Authentication Protocol .................................................................... .......................7

Summary Comparison of 802.1X Authentication Schemes.................................................. ..........................8

Table 1: Comparison of Common 802.1X EAP-Encapsulated Authentication Protocols.............................9

PEAP Advantages.......................................................................................................................................... .11

PEAP Security and Ease of Deployment Advantages ............................................................................ ......11

Vendor Support for PEAP is Increasing....................................................................................... .................12

PEAP Provides More Options............................................................................................................... ........13

Summary............................................................................................................................................... ..........14

Table 2: PEAP and EAP-TLS Component Support from Microsoft....................................................... ....14

Related Links....................................................................................................................................... ...........15

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 1
Introduction
Wireless access to corporate resources while in the office, at home, or traveling is now a reality and offers a
very flexible ‘no strings’ approach to networking. Wireless access points (APs) are now provided in such
places as hotel lobbies, airport lounges, and coffee bars. For the first time, there is the possibility of a single
standard access medium for global connection to the Internet and corporate resources.

Along with the introduction of wireless local area networks (WLANs) and mobile wireless came the unique
‘air-gap’ security issue that has received much coverage in security journals. The same security concerns
apply to mobile workers that may use wireless access to connect to a public TCP/IP network, and from there
connect to the home office: the wireless hop is exposed to attack in the same way as WLAN links in a
corporate office.

Microsoft recommends that you implement 802.1X authentication for wireless security. The 802.1X
specification requires that you use an Extensible Authentication Protocol (EAP)-based method for
authentication. There are two EAP-based methods: EAP-Transport Layer Security (EAP-TLS) and Protected
EAP (PEAP). If you are using, or you plan to use a public key infrastructure (PKI) and certificates, you should
choose EAP-TLS. If your plans do not include using a PKI, you should choose PEAP.

The Introduction of 802.1X to Improve Wireless Network Security

Because client authentication credentials are potentially exposed across the 802.11 wireless link, the IEEE
was tasked with recommending enhanced security for 802.11 networks. Microsoft has worked closely with
other companies to define how 802.1X can be applied to 802.11-based wireless networks. The IEEE
produced the 802.1X specification, which addresses many of the security issues of 802.11. The 802.1X
specification focuses on the protection of user authentication credentials, of particular concern to connections
across the exposed wireless link, and the protection of user data through scalable and secure management of
data encryption keys. The IEEE achieved these goals in an efficient way by recommending proven security
protocols that were standardized by the IETF. Today, 802.1X is the primary IEEE standard for secure,
authenticated wireless access.

Extensible Authentication Protocol for Wireless Authentication

The 802.1X specification recommends EAP, a widely used and flexible authentication transport. By using EAP
between the wireless client device and the back-office authentication servers, you can provide robust and
scalable authentication and reuse much of the infrastructure commonly present for dial-up remote access and
virtual private network (VPN) access.

As a consequence of IEEE interest in EAP, and the increasing popularity of EAP, the IETF is currently working
on clarifications to the EAP specification. This new draft standard, available at http://www.ietf.org/internet-
drafts/draft-ietf-eap-rfc2284bis-04.txt, includes interoperability and security guidelines for EAP implementers.

After studying the available EAP-based authentication schemes, Microsoft realized that further protocol
development was needed to address some security and deployment issues with EAP. As a result, Microsoft
has been instrumental in the development of PEAP, a draft standard for a common approach to wireless-
network user authentication. The PEAP proposal is supported under the security framework of the IEEE
802.1X specification, and has been submitted to the IETF. This paper studies the advantages of PEAP over

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 2
other EAP types, and describes why PEAP is a leading candidate for an industry standard for wireless-
network user authentication.

To introduce PEAP into your environment requires little infrastructure change. If your wireless APs support
802.1X and EAP, then you can use PEAP without any additional changes to your wireless APs. The wireless
client and the Remote Authentication Dial-In User Service (RADIUS) server must be updated to support
PEAP.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 3
Guidelines for Choosing an 802.1X Authentication Scheme
When you implement 802.1X within your enterprise, you may use any authentication scheme that has been
standardized for use with EAP. The best authentication scheme for a particular installation depends on the
security requirements of the environment.

When choosing an authentication scheme, consider the following:

• Vendor support. The chosen scheme should enjoy widespread support among equipment vendors.
• Mutual authentication support. Mutual authentication prevents an intrusion onto the network by an
unauthorized user, and also ensures that the client is connecting to a trusted network. Without
support for server authentication, an attacker could install a rogue wireless AP to highjack client
connections and steal client credentials.
• Rotating keys (frequency and ease of data encryption key changes). The generation of new
encryption keys at set intervals during a wireless LAN client’s session increases protection from
eavesdroppers.
• Security technology level (high, medium, or low). Use secure exchange of user credentials during
the authentication process, and dynamic, manageable encryption.
• Standards based. Using standards that are widely supported by vendors allows for a multi-vendor
deployment to be achieved more easily.
• User credential protection. A wireless network session is most vulnerable when the user is
presenting their credentials. Protection of an Internet-based connection is also important for wireless
users who use the Internet to connect to private networks.
• Ease of implementation. Consider how easily the authentication scheme can be incorporated into
your existing authentication infrastructure.
• Global applicability or single user identity for network logon and authentication. This enables
your wireless users to use the same logon method for network access and authentication, regardless
of location or network provider, and to allow the same scheme for dial-up, VPN, and wireless access.
• Credential flexibility. A typical authentication infrastructure will make use of a number of user
credential schemes to suit different connectivity circumstances.
• Reduced latency. Your solution should provide minimal latency as your mobile user roams between
two wireless APs. This will reduce the impact on networked servers to the user's mobile device.

The next section describes in detail the authentication schemes that are currently available and how they
address these user authentication aspects.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 4
Authentication Schemes Available for 802.1X-Compliant Networks
The 802.1X standard uses the IETF EAP specification (originally used for dial-up links) described in Request
for Comment (RFC) 2284, which offers an authentication technology that supports arbitrary authentication
schemes suitable for a variety of network access scenarios. This enables you to more easily incorporate
802.11 client devices into existing authentication deployments that already use EAP for dial-up and VPN
access.

EAP is a transport protocol for authentication schemes. The authentication schemes available as standards
can be divided into two main groups: those based on EAP-TLS, and those not based on EAP-TLS.

Authentication Schemes Based on EAP-TLS

These schemes offer authentication using digital certificates, with full end-to-end encryption for an
authentication channel.

EAP-TLS

EAP-TLS (RFC 2716) was designed by Microsoft and is based on an authentication protocol that is nearly
identical to the protocol used in the Secure Sockets Layer (SSL) protocol for securing Web transactions. EAP-
TLS provides mutual authentication between the client and the authentication server. Once authentication is
completed, 802.1X enables dynamic encryption keys to be generated. In EAP-TLS, digital certificates are
used for mutual authentication. Digital certificates can be stored on smart cards or on the client computer.

By using the strong authentication provided by digital certificates, EAP-TLS greatly reduces the risk of a
successful attack on your network.

The main customer concern about deploying EAP-TLS as a global solution is the requirement to deploy and
manage digital certificates for each access client. Historically, the implementation of a PKI has been overly
complex. The PKI products available today have greatly reduced this complexity. For example, Certificate
Services in Microsoft® Windows Server™ 2003 supports certificate auto-enrollment and auto-renewal. This
further improves the security of 802.1X connections by automatically installing, expiring, and renewing
certificates.

Protected Extensible Authentication Protocol

PEAP is a more flexible scheme than EAP-TLS. PEAP creates an encrypted SSL/TLS tunnel between the
client and the authentication server, and the tunnel then protects the subsequent user authentication
exchange.

To create the secure tunnel between client and authentication server, the PEAP client first authenticates the
PEAP authentication server using digital certificate authentication. This technique is widely used to protect
Web transactions (using SSL) and requires only the server to own a digital certificate.

Once the secure TLS tunnel has been established, you can select any standard user authentication scheme
for use within the tunnel. If you intend to use digital certificates to authenticate the client, Microsoft
recommends that you use EAP-TLS rather than PEAP. If you are not currently planning to deploy a PKI,
Microsoft recommends you use PEAP-Microsoft Challenge Handshake Authentication Protocol version 2

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 5
(MS-CHAP v2) user authentication because it provides a combination of security, interoperability, flexibility,
and ease of deployment. This combination is not offered by most other password methods available today.

For Microsoft Windows products, existing EAP plug-ins written to the current EAP application programming
interface (API) should work transparently with PEAP.

To prevent a possible 'man-in-the-middle' attack, Microsoft recommends that you do not use the same
authentication method and credentials for PEAP and non-PEAP connections, unless the non-PEAP
connections are otherwise protected by Internet Protocol security (IPSec).

PEAP-MS-CHAP v2 is supported by wireless clients running Windows Server 2003, Microsoft Windows XP,
Windows® 2000, or Pocket PC 2002. It is also supported in Internet Authentication Service (IAS) for both
Windows 2000 Server and Windows Server 2003. You can add other authentication schemes by using the
EAP snap-in modules that access the EAP API. For more information, see Internet Authentication Service
Extensions on MSDN®, the Microsoft Developer Network.

PEAP transactions occur during the 802.1X authentication process. PEAP authentication occurs in two
phases:
● Phase 1 - Client authenticates the authentication server to prevent connections to rogue
networks.
● Phase 2 - TLS creates a robust, encrypted tunnel from the client to the authentication server.
The TLS tunnel is used to protect the client authentication exchange.

After the user is successfully authenticated, dynamically generated keying material is supplied by the
authentication server to the wireless AP. From this keying material, the AP creates new encryption keys for
data protection. Figure 1 shows an example of PEAP authentication in a wireless environment.

Figure 1: PEAP Authentication Scheme

PEAP Connection

User: Fred
Password: ******

AP
Laptop (Authenticator)
Internet Authentication Service Active
(Client)
(RADIUS) Directory
EAP Type = EAP-PEAP - Credentials
First EAP Session : - Policy
PEAP Phase 1 - End-to-End EAP - Create TLS channel
type EAP-PEAP

Encrypted and integrity-protected TLS channel

Second EAP Session :
type EAP-MS-CHAP-v2 PEAP Phase 2 - EAP Type
MS-CHAP-v2 or other scheme

Keys for Cipher Suite Keys for Cipher Suite

WEP Protection

Notes:
 Standards-based (EAP,TLS,RADIUS)
 EAP end-to-end, so suitable over the Internet
 User Credential only protected by TLS encryption and authentication
 Supports any user authentication EAP type within the TLS channel

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 6
For more details about PEAP, see PEAP with MS-CHAP Version 2 for Secure Password-based Wireless
Access.

Authentication Schemes Not Based on EAP-TLS

These schemes offer password-only authentication and are less secure than TLS-based schemes. The
security weaknesses are discussed in more detail in the "EAP-MD5" and "Lightweight Extended
Authentication Protocol" sections.

EAP-MD5

EAP-Message Digest 5 (MD5) provides a one-way authentication mechanism using a password. For wireless,
this method is deprecated due to security concerns, and replaced by the more robust PEAP standard. EAP-
MD5 uses password-based authentication through a challenge/response method directly over a wireless
medium and, because of this, is prone to offline dictionary attacks. Moreover, EAP-MD5 does not provide
mutual authentication, which means the client could connect to an unauthorized AP. EAP-MD5 is also unable
to generate keying material for use as encryption keys, resulting in the dependency on manual key changes.

As a consequence of these limitations, EAP-MD5 is now widely regarded as unsuitable as a wireless

authentication method.

Lightweight Extended Authentication Protocol

In the absence of a suitable standards-based approach to easing the security issues with the original 802.11
specification, Cisco introduced Lightweight Extended Authentication Protocol (LEAP), also known as EAP-
Cisco, in version 11.21 of the Cisco Aironet AP firmware. The LEAP specification is not publicly available, and
LEAP support is only available from a few vendors that have partnered with Cisco. LEAP requires a vendor-
specific link-layer, restricting its use to only those AP devices that have licensed LEAP from Cisco.

LEAP is a non-TLS scheme that shares a number of the weaknesses inherent in EAP-MD5. LEAP offers
stronger authentication than EAP-MD5, but still lacks TLS support for end-to-end protection. This means that
authentication credentials are susceptible to offline dictionary attacks. In addition, because the LEAP client
does not authenticate the server's identity, this can inhibit its ability to distinguish between a wireless AP
authorized by corporate IT administrator and a rogue wireless AP on the same corporate network.

The LEAP authentication service uses a password-based hashing scheme to verify the client's identity. The
lack of end-to-end protection means that authentication credentials are exposed to replacement, dictionary,
and other types of attacks.

As with all password-based authentication schemes, standard security practices recommend you use strong
passwords and the application of corporate policies to enforce password-complexity verification and regular
password changes. However, LEAP does not support the ability to force periodic password changes, and this
can inhibit the deployment of strong password policies.

Figure 2 shows an example of LEAP authentication in a wireless environment. The LEAP password-based
authentication phase is followed by the exchange of keying material to enable the encryption keys to be
assigned dynamically.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 7
 LEAP Connection

User: Fred
Password: ******

AP
Laptop (Authenticator) ACS
(Client) (RADIUS Server)
- user database

EAP Session : type EAP Type = EAP-LEAP RADIUS Password Exchange

EAP-LEAP

Keys for Cipher Suite Keys for Cipher Suite

WEP Protection

Notes:
 Proprietary EAP and RADIUS extensions
 EAP not end-to-end, so not suitable over the Internet
 User credential only protected by hashing scheme
 Credentials limited to password

Figure 2: LEAP Authentication Scheme

Because LEAP is not an open standard and currently works with only Cisco APs, it may limit your future
networking infrastructure choices from a hardware and software perspective, and thus could lead to
potentially higher long-term deployment costs. In contrast, the TLS-based EAP solutions described in the
section "Authentication Schemes Based on EAP-TLS" offer stronger authentication and the benefit of broader
vendor support.

Summary Comparison of 802.1X Authentication Schemes

Table 1 provides a comparison of commonly available wireless authentication technologies, based on security
features and deployment considerations.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 8
Table 1: Comparison of Common 802.1X EAP-Encapsulated Authentication Protocols

Feature LEAP (EAP- EAP-TLS EAP-MD5 PEAP

Cisco) advantages
Vendor Cisco scheme Widely Wide support, Widely supported
support only supported supported. but not by Microsoft,
by limited recommended Cisco, Funk,
wireless for wireless. Interlink
network Networks,
adapters and Meetinghouse
wireless AP and other
equipment vendors.
from Cisco.
Mutual Yes, with Yes, user and No, client Yes, using end-
authentication passwords. authentication authentication to-end encrypted
Weak form of server with only. TLS tunnel for
server certificates. user credentials.
authentication. The server is
authenticated
with a certificate
and the user by
any EAP-
supported
scheme.
Strong form of
server
authentication
prevents rogue
wireless APs.
Rotating keys Generated Generated No. Relies on Generated during
(re-keying) during during static keys. authentication.
authentication. authentication. High key strength
Low key High key
strength. strength.
Security Stronger than Strong. Weak. Strongest
technology MD5 but Not secure. password-based
level exposed to approach
offline available.
dictionary
attacks.
Standards- No Yes Yes Yes
based
User Open to offline Certificate- Open to offline Protected by TLS
credential dictionary based dictionary tunnel.
protection attack. authentication. attack.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 9
Feature LEAP (EAP- EAP-TLS EAP-MD5 PEAP
Cisco) advantages
Ease of Limited choice Requires PKI. Simple, but Widely supported
implementatio of wireless Widely not and offered
n network supported and recommended natively in
adapters, offered for wireless. Windows clients.
wireless APs, natively in
and RADIUS Windows
servers. clients.
Global Limited vendor Requires PKI. Not secure, so Widely available
applicability choice. a poor choice. open standard
with growing
support.

Credential None. Only digital Password Any approved

flexibility Password certificates. only. EAP method.
only.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 10
PEAP Advantages
Choosing which authentication scheme to deploy is often confusing to customers. From the previous sections
and the summary in Table 1, you can see that PEAP offers a number of advantages. This section describes
the advantages of PEAP in more detail.

PEAP Security and Ease of Deployment Advantages

• The client products in the software families of Windows Server 2003, Windows 2000, Windows
XP, and Pocket PC 2002 offer support for PEAP (either natively or with the application of a
system update), so there is no need for you to install third-party client software.

• Internet Authentication Service (IAS) is Microsoft's implementation of a RADIUS server.

Windows 2000 Server and Windows Server 2003 support PEAP, so there is no need to install
third-party RADIUS software.
• PEAP addresses many of the EAP security issues highlighted in draft-ietf-eap-rfc2284bis-0x.txt, a
recently published IETF draft.
• PEAP uses a TLS-tunnel to protect the user credentials. Other password-based methods (such
as LEAP and EAP-MD5) do not create a TLS-tunnel and are exposed to offline dictionary
attacks on the user credentials.
• Using the TLS-tunnel from the client to the authentication server, PEAP offers end-to-end
protection, not just over the wireless data-link. This is particularly important when a mobile user
is using a public network to access a private network. For non-TLS schemes (LEAP and EAP-
MD5), the password is exposed to attack on the wireless link and across the public network.
• PEAP supports any EAP compatible type. PEAP is also defined as an extensible authentication
method that can embrace new EAP authentication schemes as they become ratified. Microsoft
Windows PEAP supports passwords and certificate authentication, and also allows any EAP-
based method provided by partners to be used within PEAP.
• Within the TLS-Tunnel, PEAP hides the EAP type that is negotiated for mutual client/server
authentication. This helps prevent an attacker from injecting packets between the client and the
network access point. Also, because each packet sent in the TLS-tunnel is encrypted, the
integrity of the authentication data can be trusted by the PEAP client and server.
• PEAP offers strong protection against the deployment of unauthorized wireless APs because
the client verifies the RADIUS server's identity before proceeding ahead with further
authentication or connectivity. The wireless AP is unable to decrypt the authentication
messages protected by PEAP.
• PEAP offers highly secure keys that are used to encrypt the data communications between the
clients and wireless AP. New encryption keys are derived for each connection and are shared
with authorized wireless APs accepting the connection. Unauthorized wireless APs are not
provided with the encryption keys.
• PEAP does not require the deployment of certificates to wireless clients. Only the PEAP server
(authentication server) needs to be assigned a certificate. The PEAP server certificate can be
managed using an internal certification authority (CA) product, or acquired from a certificate
management company, such as VeriSign and Thawte.
• Password-based schemes rely on strong passwords to help defend against brute-force
hacking. With PEAP, although you should still follow best practices for strong password format

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 11
 and management, your user's credentials are not exposed to the same attack because their
credentials are protected by TLS.
• Microsoft offers native support for PEAP so that the user can use the same logon credentials
for all network connections and applications. PEAP integrates seamlessly with Microsoft
Windows domain policy, group policy, and logon scripts. This means that PEAP by default
transparently uses the same logon credentials you type when you first log into your network.
Alternatively, you can specify that PEAP authentication should use a different user name and
password credential, if you are not concerned about preserving the "single logon" experience
for your users. Non-TLS schemes (LEAP or EAP-MD5) do not support single logon, logon
scripts, or group policy.
• Authentication schemes for which there are no standards or publicly available specifications will
not receive rigorous peer security review. PEAP is an open standard supported under the
security framework of the IEEE 802.1X specification, and has been submitted to the IETF.
• Windows Server 2003 group policy features can be used to centrally configure the properties of
PEAP on all Windows XP (Service Pack 1 or later) or Windows Server 2003 wireless clients.
• PEAP can be used securely and efficiently with roaming wireless devices. Authentication
latency is frequently a concern with wireless networks because users may need to reconnect to
the network through a number of AP devices as they roam. As a result, it is valuable to be able
to do quick re-authentication. PEAP supports this capability by leveraging the TLS session
resumption facility, and any EAP method running under PEAP can take advantage of it.
• The PEAP protocol specifies an option of hiding the user's name - identity privacy. The
Microsoft implementation of PEAP does not support identity privacy at this time, but there are
plans to support it in future.

Vendor Support for PEAP is Increasing

PEAP is an open IETF protocol that addresses the wireless security issues raised by the IEEE and the IETF.
PEAP does not require changes to wireless APs that conform to the IEEE 802.1X standard. The wireless
client and the RADIUS server must support PEAP.

The wide support for PEAP from vendors is encouraging. For example, apart from Microsoft, PEAP is now
supported by Funk Software, Meetinghouse Data Communications, Interlink Networks, Cisco, and other
vendors.

Choosing an open standards-based approach will give you greater choice of price and functionality in the
wireless products you purchase.

A popular standard is also easier to deploy in your network and easier to maintain. If you choose an accepted
standard for authentication over 802.11 networks, you will more quickly realize the goal of a connect-
anywhere wireless service that allows connection to wireless LANs and public wireless APs globally, using a
single authentication method.

Microsoft Windows XP, Windows 2000, Windows Server 2003, and Pocket PC 2002 offer support for PEAP
(either natively or with the installation of a system update), so there is no need for you to install third-party
client or server software. Using native 802.1X support will ease your installation and maintenance workload.
Using the 802.1X-enabled wireless client from Microsoft, a user can be authenticated by any industry-
standard RADIUS servers that support PEAP (such as IAS from Microsoft), and through any industry-
standard wireless APs that support 802.1X.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 12
PEAP Provides More Options
PEAP allows any EAP scheme to be used to authenticate the user within a TLS tunnel. This approach means
that you can safely use a variety of authentication methods including passwords, smart cards, and device
certificates to fit the requirements of a particular deployment. You can migrate to more complex authentication
schemes as you feel the need. Since PEAP presents no barriers to deployment, being both secure and
having no requirement for the deployment of PKI, it offers you an ideal solution for a common authentication
method across your network.

PEAP can also be used with standards for other network access modes that use EAP, such as traditional dial-
up, VPN access, and Point-to-Point Protocol over Ethernet (PPPoE). In the future, Microsoft plans to support
PEAP over dial-up and VPN connections.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 13
Summary
Microsoft recommends security products that are standards-based and robust, and EAP-TLS (for certificate-
based environments) and PEAP offer the most secure and flexible standards available today. Microsoft is also
committed to working with the IETF to help obtain standard status for PEAP. By choosing a standard
technology solution like PEAP that has wide industry acceptance, you benefit by making “connect anywhere”
wireless access a reality.

The Microsoft Windows client and server products have native support for IEEE 802.1X, and will be updated
with service packs as new innovations in wireless security become available through standards. Table 2
shows Microsoft's support for wireless security and related features in its base operating system platforms.

Table 2: PEAP and EAP-TLS Component Support from Microsoft

Feature Microsoft support

802.1X-capable wireless client Available for Microsoft Windows XP, Windows 2000, Windows
Server 2003, and Pocket PC 2002. Microsoft plans to provide
support in all future product releases.

Includes PEAP-MS-CHAP v2 and EAP-TLS.

802.1X-capable RADIUS server Available in Internet Authentication Service (IAS) in the Windows
Server 2003 and Windows 2000 Server families.

Includes PEAP-MS-CHAP v2 and EAP-TLS.

802.1X-ready Active Directory® Available in the Windows Server 2003 and Windows 2000 Server
families.

Manages user credentials and policies.

Certification authority (CA) Available in Certificate Services in the Windows Server 2003 and
Windows 2000 Server families.

PKI CA for wireless client and RADIUS server certificates.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 14
Related Links
See the following resources for further information:
• Microsoft Wi-Fi Web site at http://www.microsoft.com/wifi

• Microsoft Internet Authentication Service Web site at http://www.microsoft.com/ias

• PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0702.asp

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003.

The Advantages of Protected Extensible Authentication Protocol (PEAP): A Standard Approach to User Authentication for IEEE 802.11
Wireless Network Access 15