Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Agent for FreeRADIUS

About Protected Extensible Authentication Protocol

search
printsuggest an editpdf paneldownload

About Protected Extensible Authentication Protocol

The Protected Extensible Authentication Protocol (PEAP) is a common authentication protocol for communication between a VPN server and mobile devices. The protocol works by covering the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.

EAP-PEAP uses TLS to authenticate only the Server-to-Client communication (and not the Client-to-Server communication). This ensures that only the server is required to have a public key certificate. Once the client is satisfied about the credibility of the server’s identity, the client and server exchange a sequence of EAP messages encapsulated within TLS.

FreeRADIUS has a built-in feature to locally terminate the TLS outer tunnel, decrypt the PEAP tunnel, and then extract the inner identity to proxy the MS-CHAPv2 authentication mechanism to another RADIUS server.

PEAP creates two concentric tunnels:

  • An encrypted and authenticated TLS outer tunnel.

  • An inner tunnel that uses an EAP method (such as EAP-MS-CHAPv2) for authentication, and is protected by the TLS outer tunnel.

An example of configuring certificates required for PEAP support is provided below.

copy link to clipboardSolution Configuration

PEAP adds a TLS layer on top of EAP and uses TLS to authenticate the server to the client. To achieve this, the FreeRADIUS server is required to have a server certificate. As an example, a Microsoft CA is used, but any other CA can be designated to provide a server certificate. Key certificate file and Client certificate is also required along with CA Server certificate.

note

Note

FreeRADIUS agent comes with the default certificates, which may or may not work with PEAP. You may create your own certificates if default certificates do not work.

On this page