Protected Extensible Authentication Protocol
The Protected Extensible Authentication Protocol (PEAP) is a common authentication protocol for communication between a VPN server and mobile devices. The protocol works by covering the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.
EAP-PEAP uses TLS to authenticate only the Server-to-Client communication (and not the Client-to-Server communication). This ensures that only the server is required to have a public key certificate. Once the client is satisfied about the credibility of the server’s identity, the client and server exchange a sequence of EAP messages encapsulated within TLS.
FreeRADIUS has a built-in feature to locally terminate the TLS outer tunnel, decrypt the PEAP tunnel, and then extract the inner identity to proxy the MS-CHAPv2 authentication mechanism to another RADIUS server.
PEAP creates two concentric tunnels:
-
An encrypted and authenticated TLS outer tunnel.
-
An inner tunnel that uses an EAP method (such as EAP-MS-CHAPv2) for authentication, and is protected by the TLS outer tunnel.
An example of configuring certificates required for PEAP support is provided below.
Solution Configuration
PEAP adds a TLS layer on top of EAP and uses TLS to authenticate the server to the client. To achieve this, the FreeRADIUS server is required to have a server certificate. As an example, a Microsoft CA is used, but any other CA can be designated to provide a server certificate. Key certificate file and Client certificate is also required along with CA Server certificate.
FreeRADIUS agent comes with the default certificates, which may or may not work with PEAP. You may create your own certificates if default certificates do not work.