PEAP (Protected Extensible Authentication Protocol)

PEAP (protected extensible authentication protocol) is a security protocol used to better secure WiFi networks.

How many people within your organisation are tapping away on computers plugged into the walls of your headquarters? 

Chances are, some (or even) all of your company's employees work outside of the building from time to time. In fact, Stanford University suggests that working from home is the new normal, as more than 42 percent of people logged on remotely during the pandemic. And even when we're back in the office, we'll probably use laptops and phones to work. 

If you use WiFi to help these employees connect, whether they're inside the building or away from it, you could encounter significant security risks.

PEAP (protected extensible authentication protocol) was created to help. 

What Is PEAP?

For years, programmers have used something called EAP (extensible authentication protocol) to manage wireless connections. PEAP is a version of this technology, and it comes with enhanced security protections. 

In a traditional EAP, systems use a public key system to connect. If a user can prove credentials (such as entering a user name/password), the server then passes a public key to complete the transaction, and the users have an encryption key to decode it. 

Unfortunately, the entering of passwords and trading of keys can happen in unprotected spaces in an EAP. That leaves your system wide open for hacking. 

PEAP combines the speed of EAP with a transport layer security (TLS) tunnel. The entire communication between a client and the server is protected within that TLS tunnel. PEAP doesn't describe a specific method. Instead, it calls for chaining multiple EAP mechanisms together.

How PEAP Works 

The coding and technology behind PEAP are complex. Even Microsoft says that the average user working in a small office doesn't need to understand the ins and outs of complex security features like this. 

But digging into a high-level overview of the technology could help you understand how PEAP protects data as it moves between two parties. 

Connecting with a server and gaining access is called authentication, and it typically involves several steps. The PEAP protocol involves two phases.

  1. Phase 1: The Authenticator attached to the user's device sends an EAP-Request/Identity message. The client can reply with a true identity or a version that is anonymised, so it's harder to steal.

    The handshake between the two devices begins. In essence, the two systems jump through a basic challenge at this stage, but there's more work to be done.
     

  2. Phase 2: The EAP server sends another message, asking for the true identity of the user. The two strengthen their connection, and a channel opens.

    Here, a deeper connection is formed, and the systems trade keys. Since this step happens so late in the process, under protections of the TLS tunnel, it's very hard to crack or manipulate. 

Look over the illustration for a detailed description of all of the steps involved in authentication. As a user, you may never see all the work happening behind the scenes.

And the time lapse is minimal. With proper programming, you'll wait just seconds for the two systems to chat, connect, and let you through. 

Programming for Phase 2 

Use PEAP protocols, and you'll take authentication through two phases. You'll need a secondary tool to make the jump from phase one to phase two. 

Your options include:

  • EAP-MSCHAPv2. When bundled with PEAPv0, this is one of the most common forms of PEAP in use today. It comes standard with Microsoft products, and it handles the details of the second handshake in Phase 2 of authentication.
     
  • EAP-GTC. This product is meant to bundle with PEAPv1, and it works with products outside of the Microsoft environment. Since it takes some coding know-how to implement and its counterpart does not, this is rarely used. 

The jumble of letters and numbers can be confusing. But the benefits are clear. 

When you're using a PEAP method, with either of these helpers, you're proving that you deserve to have access to the server. You'll only need to prove that once, as your credentials are stored within the system. During your career with the organisation, you may never have to update your password (or remember it) ever again. Your time savings could be immense.

PEAP vs. EAP-TTLS

As we've mentioned, PEAP uses TLS to make messages secure and protected. But other systems also use TLS. As a network administrator, you have options. 

For example, some companies avoid PEAP, and they use something called EAP-TTLS instead. This product offers certificate-based authentication through a tunnel, very much like PEAP. But it's a proprietary protocol, and it doesn't come bundled into Microsoft products like PEAP does. 

As researchers point out, Microsoft has become synonymous with computers. Almost every individual and every business uses this kind of product to stay in business. If you choose EAP-TTLS instead of PEAP, you could spend an extensive amount of time installing it on every computer that needs to connect with you. 

Let Okta Help Protect Your Data 

WiFi makes connections simple. People within range just need to know the right credentials, and they're ready to connect.

But WiFi does come with some security risks, and finding them isn't always easy. Let us help.

At Okta, we can help you examine your setups and patch lapses that put your security at risk. 

References

Stanford Research Provides a Snapshot of a New Working-From-Home Economy. (June 2020). Stanford University. 

802.1X Overview and EAP Types. (October 2020). Intel. 

1.3 Overview. (October 2020). Microsoft. 

Microsoft's Windows Still Synonymous With Computer. (March 2020). Statista.