17.10. EAP PEAP Previous topic Parent topic Child topic Next topic

Like EAP TLS (See Section 17.4. EAP TLS), EAP PEAP (often called just PEAP) uses Public Key Infrastructure (PKI) digital certificates. Unlike TLS, it only uses a Server Certificate so the client can validate the server, and then establish a secure, encrypted communications channel with the RADIUS server. When this channel is established, it is used to tunnel encrypted EAP messages to the RADIUS server. Radiator converts each of these so-called ‘inner requests’ into a new RADIUS request which can be authenticated by any supported AuthBy method. So EAP PEAP authentication happens in 2 phases following these basic steps:
  1. The EAP PEAP client and RADIUS server establish a communications channel via the RADIUS protocol.
  2. The RADIUS server sends its Server PKI Certificate to the client.
  3. The client verifies that the server certificate is valid and is the correct certificate for the RADIUS server it is communicating with. It uses the Root Certificate of the Certificate Authority that issued the Server Certificate to validate the Server Certificate. (Root Certificates for most Public Certificate Authorities are built in to most clients. If the Server Certificate was issued by a Private Certificate Authority, the client requires a copy of the Root Certificate to be installed in order to validate the Server Certificate.)
  4. If the client validates the server certificate, it then sends one or more EAP requests through the encrypted TLS tunnel. The type of inner EAP request depends on the PEAP client configuration, but the most common types of inner EAP requests are EAP MSCHAPV2 and EAP TLS.
  5. Radiator converts this ‘inner’ request into a new RADIUS request and dispatches it to the first matching Realm or Handler clause, where it can be handled by one or more AuthBy clauses. To assist in discriminating PEAP inner requests, each inner request is tagged with the pseudo-attribute TunnelledByPEAP set to 1.
  6. The result of the inner authentication is sent back to the client through the TLS tunnel.
In order to use EAP PEAP, you must install a unique Server Certificate on your RADIUS server host, and configure Radiator to use it. For more information about Public and Private certificates and how to obtain them, see Section 17.4. EAP TLS. EAP PEAP does support dynamic WEP keys.
You can configure Radiator to handle the inner and outer requests in separate Handler or Realm clauses. You can also configure Radiator to convert an inner EAP-MSCHAPV2 request into a conventional RADIUS-MSCHAPV2 request, which means that Radiator can server as a gateway between EAP PEAP clients and a non-EAP enabled RADIUS server.