Protected EAP (PEAP) Support Added to Windows XP SP1 and Windows Server 2003

RFC 2284 defines the Extensible Authentication Protocol (EAP), which provides support for multiple authentication methods. Although EAP was originally created for use with Point-to-Point Protocol (PPP), it has been adopted for use with IEEE 802.1x Network Port Authentication.

Since EAP's deployment, a number of weaknesses in EAP have become noticeable. These include the following:

• Lack of protection of the user identity or the EAP negotiation.
• No standardized mechanism for key exchange.
• No built-in support for fragmentation and reassembly.
• Lack of support for fast reconnect.

Protected EAP (PEAP) addresses these deficiencies by wrapping the EAP protocol in Transport Layer Security (TLS). Any EAP method running in PEAP is provided with built-in support for key exchange, session resumption, and fragmentation and reassembly.

PEAP with MS-CHAP v2 is provided with Windows XP Service Pack 1 (SP1) as part of enhanced EAP and IEEE 802.1x support. This permits Windows XP wireless clients to use PEAP with MS-CHAP v2 for secure wireless access with passwords instead of certificates.

The Internet Authentication Service (IAS) networking component provided with Windows Server 2003 also supports PEAP with MS-CHAP v2, permitting an IAS server to authenticate wireless clients that are running Windows XP SP1. IEEE 802.1x authentication with PEAP support is also available for Windows 2000 clients and the IAS component. For additional information about adding IEEE 802.1x with PEAP support to Windows 2000 clients and IAS servers, click the following article number to view the article in the Microsoft Knowledge Base: See Q313664 for details. PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the wireless clients. IAS servers must have a certificate installed in their Local Computer certificate store. Instead of deploying a Public Key Infrastructure (PKI), you can purchase individual certificates from a third-party certification authority (CA) to install on your IAS servers. To make sure that wireless clients can validate the IAS server certificate chain, the root CA certificate of the CA that issues the IAS server certificates must be installed on each wireless client.

Windows XP includes the root CA certificates of many third-party CAs. If IAS server certificates are purchased from a third-party CA that corresponds to an included root CA certificate, no additional wireless client configuration is required. For information about how to obtain a PEAP-compatible certificate from Verisign, visit the following Verisign Web site: If you purchase your IAS server certificates from a third-party CA for which Windows XP does not include a corresponding root CA certificate, you must install the root CA certificate on each wireless client.