The Elektron PEAP service provides Protected Extensible Authentication Protocol authentication services to Wi-Fi clients. PEAP was developed by Microsoft and Cisco as a means to allow clients to login to Wi-Fi networks using a username and password while keeping these login credentials protected with the use of encryption. PEAP is very similar to TTLS, with only major difference being the method of encoding the inner authentication.
PEAP is the protocol used by the Windows XP, Windows Vista, and Windows 7 WPA client software. In order for Elektron to authenticate Windows XP, Windows Vista, and Windows 7 clients, the PEAP service must be running.
PEAP builds upon EAP-TLS. A client wishing to connect to the Wi-Fi network first establishes a connection to the selected access point. The access point forwards the connection request to the Elektron server, which establishes a TLS connection between itself and the client. This TLS channel keeps all communications between the Elektron server and the client encrypted, preventing eavesdroppers from examining data passed between the two hosts, which includes sensitive information such as passwords.
The TLS connection proves the identity of the server. During the establishment of the TLS connections, the Elektron server sends its digital certificate, which the client may use to validate the server’s identity.
After the TLS connection is established, the client proves its identity to the Elektron server by sending a username and password, or by sending its own digital certificate. This portion of the PEAP protocol happens inside the TLS channel, and is known as the inner identity phase. The inner identity phase can occur using one of several different protocols: EAP-MS-CHAP-V2, EAP-MD5-Challenge, EAP-TLS, or EAP-GTC.
Windows clients support only EAP-MS-CHAP-V2 as their inner authentication method. In order to authenticate clients running Windows clients, EAP-MS-CHAP-V2 must be enabled. Cisco clients use EAP-GTC.
Using the PEAP service panel, you may decide which EAP types are allowed as inner authentication methods. If the PEAP service is running, at least one inner authentication method must be enabled.
Elektron supports both PEAP version 0 and PEAP version 1.