Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
PEAP (Protected EAP) wraps weaker EAP methods like MSCHAPv2 inside a server-authenticated TLS tunnel; widely used for 802.1X Wi-Fi login.
PEAP Definition: PEAP (Protected EAP) wraps weaker EAP methods like MSCHAPv2 inside a server-authenticated TLS tunnel; widely used for 802.1X Wi-Fi login.
PEAP (Protected Extensible Authentication Protocol) is an 802.1X authentication framework that protects client credential exchange by first establishing an encrypted TLS tunnel between the supplicant and the authentication server, then running a weaker inner EAP method inside that tunnel. It is most common in enterprise Wi-Fi (WPA2/WPA3-Enterprise) and wired 802.1X deployments.
PEAP authenticates in two phases. In phase one, the supplicant validates the authentication server's certificate and negotiates a TLS tunnel, shielding the subsequent exchange. In phase two, an inner EAP method runs through that tunnel to verify the user or device, most often EAP-MSCHAPv2 (PEAPv0) or EAP-GTC (PEAPv1). Because only the server presents a certificate, PEAP avoids the per-client certificate overhead of EAP-TLS while still encrypting credentials that would otherwise traverse the air in a vulnerable form.
PEAP matters because inner methods like MSCHAPv2 are cryptographically weak and trivially crackable if exposed; the TLS tunnel is what makes them safe enough for production. The protocol's security hinges entirely on validating the server certificate. If clients are misconfigured to skip certificate validation or trust any certificate, an attacker can stand up a rogue access point and RADIUS server, terminate the tunnel themselves, and capture MSCHAPv2 challenge-response pairs to recover passwords offline. Proper deployment requires pinning the expected CA and server name on every supplicant.
For example, a company deploys WPA2-Enterprise so employees sign in to Wi-Fi with their domain username and password. The RADIUS server (such as Microsoft NPS) presents a certificate from the corporate CA; each laptop's wireless profile is configured to trust only that CA and the specific server name. When an employee connects, the device builds a TLS tunnel to NPS, verifies the certificate, then sends the credentials via EAP-MSCHAPv2 inside the tunnel. A nearby evil-twin AP cannot present a trusted certificate, so compliant clients refuse it and the credentials are never exposed.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →