Talk:Protected Extensible Authentication Protocol

This article needs to be examined because it 'borrows' text from George Ou's article. There are some anti-Cisco statements in that article, which have been noted below.

I'm not a Cisco apologist, but in the name of objectivity, shouldn't this line be modified:

"As a result, most Cisco customers run the less secure and proprietary LEAP or EAP-FAST authentication protocols because they’ve swallowed the Cisco Kool-Aid."

Perhaps

"As a result, most Cisco customers run Cisco's proprietary LEAP or EAP-FAST authentication protocols due to their promotion by Cisco."

would be more appropriate?

No it should not be edited because it is 100% correct. LEAP and EAP-FAST are both less secure. In fact LEAP is so badly broken, even Cisco recommends not using it.

I think this sentence is misleading: PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection due to the fact that portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS.

Realistically the effective strength of PEAP-EAP-TLS is no more than EAP-TLS. In both cases it is equal to the strength offered by TLS (which offers known key exchange protocols which are designed for "secure exchange" of keys on an "insecure" channel)

Removed link: As it no longer works. Jimlaflin 16:16, 23 September 2006 (UTC)
 * http://www.tinypeap.com/ - PEAP on WRT54G access points (Has not been updated for some time).

PEAPv0/EAP-MSCHAPv2
I find this part of the article is misleading: "PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is Microsoft's Challenge Handshake Authentication Protocol."

It's not really correct to say PEAPv0/EAP-MSCHAPv2 is a "form of PEAP". PEAP allows you to tunnel any EAP method inside the TLS channel that PEAP sets up in phase 1. While it's true that EAP-MSCHAPv2 is the common (default) setting used by Windows machines, PEAPv0 can be used just as well with EAP-TLS, EAP-MD5 or any other EAP method.

It would be clearer to just talk about PEAP in this article and make mention of the common inner EAP types used with it (such as EAP-MSCHAPv2, which should get its own entry). Mrsnooty 23:40, 27 June 2007 (UTC)

I forgot to add that this: "The inner authentication protocol is Microsoft's Challenge Handshake Authentication Protocol." is incorrect. EAP-MSCHAPv2 is not the same as MS-CHAPv2 - the former is an EAP "wrapper" around the standard MS-CHAPv2 protocol. The EAP-MSCHAPv2 draft standard is here: http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02

Merger Notice
I agree with the suggestion that this article should be merged into Extensible Authentication Protocol. I am considering taking up the work of carrying out the merger. I request the other contributors to voice objections if any (approvals are obviously welcome :) )

Kcrao - Engineer, Security and Wireless Technologies (talk) 09:16, 6 March 2009 (UTC)


 * I disagree. The material belongs in both, not one or the other. The tech is too complicated to fit neatly into a broader article with other highly complicated tech. By all means add whatever relevant material to the EAP article, but that section of the article should refer here for a complete understanding of the subject of PEAP. In other words, that article should redirect (on the subject of PEAP) here and not vice versa. Int21h (talk) 09:34, 20 March 2010 (UTC)

Find my device that was stolen 38.158.155.139 (talk) 19:21, 17 July 2023 (UTC)