An enterprise needs a safe, secure, and proper network infrastructure implementation to ensure a functional business environment. The Protected Extensible Authentication Protocol (PEAP) is a form of EAP protocol used by organizations to protect their data over-the-air. The PEAP authentication is an 802.1X authentication method where a server-side certificate establishes a secure tunnel between the client and server for secure authentication.
The PEAP authentication also forms an encrypted TLS tunnel between the user and server where the information is encrypted before storing it in the tunnel for better security. However, the PEAP authentication method still uses passwords widely instead of digital certificates. Passwords can be cracked, leaving the whole network vulnerable to attacks, thus rendering it insecure.
This article will focus on the Protected Extensible Authentication Protocol (PEAP) and its shortcomings, as organizations still use it widely. Then, we would compare PEAP authentication with more secure protocols like the EAP-TLS and weigh its benefits against PEAP.
Click here to see how a Fortune 100 Powerhouse moved to EAP-TLS with SecureW2.
What is the Protected Extensible Authentication Protocol (PEAP)?
Many authentication protocols based on the Extensible Authentication Protocol (EAP) are used today. EAP provides an authentication framework for users accessing a network or VPN.
Protected Extensible Authentication Protocol (PEAP) is one example of a protocol based on the EAP framework. The “P” in Protected Extensible Authentication Protocol (PEAP) means that the whole exchange occurs via transport layer security (TLS). TLS is also known as the outer tunnel. In the tunnel, an MSCHAPv2 challenge response occurs when the client and the RADIUS server prove that the user and RADIUS know each other and identify the password.
The PEAP protocol involves two main phases to authenticate a user to a server:
Phase 1: Every user has an authenticator attached to it. The authenticator sends across an EAP-Request/Identity message. The handshake begins when the client replies with a true or anonymous identity, which is harder to steal.
Phase 2: The user’s identity is asked for by the EAP server to strengthen the channel connection. This makes it more difficult to crack or manipulate the network.
Is PEAP Secure?
PEAP with MSCHAPv2 is an authentication protocol for clients/users accessing a network. The schema of this authentication is WPA2_Enterprise and is similar to the WPA/WPA2 standard of wireless communication. The authentication method is a single PSK, whereas the WPA2-Enterprise allows for a complete authentication cycle via the EAP mechanism.
PEAP-MSCHAPv2 is an authentication framework for widespread legacy schemes, i.e., you can use a Windows Server user database by configuring a network access server with PEAP with MSCHAPv2 that uses a RADIUS protocol to connect to a server and authenticate a user within a protected TLS tunnel via the MSCHAPv2 scheme. The client authenticates network-attached storage (NAS) by verifying his network certificate during the TLS handshake.
The parties initiate a TLS tunnel by generating a common TLS key after successful authentication and authorization to the server. The TLS allows both parties to derive a common secret and is generally secure against Man–in–the–Middle (MITM) attacks if the client or the server does not skip the server certificate validation process. One should note that many platforms don’t utilize server certificate validation, leaving the whole network vulnerable to attacks.
Server certificate validation is skipped mainly due to the practice of using self-signed certificates for TLS authentication. Network admin has the onus of providing the apt certificates and ensuring they are verified; otherwise, it could lead to bypass verification and the usage of an insecure network.
Example of a MITM attack on a PEAP-MSCHAPv2 network
A straightforward MITM attack on a network happens as follows:
1.MitM waits for a legitimate device to enter an un-tunneled legacy remote authentication protocol and captures the initial messages sent by the legitimate client.
2. MitM initiates a tunneled authentication protocol with an authentication agent.
3. After the tunnel is set up between MitM and the authentication agent, the MitM starts forwarding legitimate clients’ authentication messages.
4. MitM unwraps the legacy authentication protocol messages received through the tunnel from the authentication agent and forwards them to the legitimate client.
5. After the remote authentication ends successfully, MITM derives the session keys from the same keys it uses for the tunnel.
A MITM can intercept a network by producing a hotspot with the same SSID and a stronger signal than the original server if there is a lack of encryption. Then an MITM can be orchestrated through mobile internet on the phone, and a hotspot is created with the same SSID to the access point under duress.
Subsequently, the MITM moves closer to the victim and sends a direct de-authentication package to reinitiate the internet session. At this stage, your phone would be chosen as a NAS. In an encrypted network, if the attacker knows the password to impersonate the server and attack the network wreaking havoc on the organizational data and network.
Recent PEAP Vulnerabilities Explained
In February 2023, Microsoft published a security update on the various actively exploited critical vulnerabilities that impact Microsoft networks and servers. More PEAP vulnerabilities are found as time passes, so keeping up-to-date on any related security changes is prudent.
Remote Code Execution Vulnerability Impacting PEAP
Microsoft finds a Remote Code Vulnerability (RCE) affecting the PEAP server. An attacker can orchestrate an attack on the PEAP server by sending a specially designed malicious PEAP packet over the network.
Another RCE has also been explored wherein the attacker can target the server account of the victim by sending a remote code and setting the cycle of a malicious code to the network via a network call. The attacker can execute this code without privileged access or user deliberation.
It is noted that Microsoft PEAP is only negotiated with the client if NPS runs on the Windows Server and has a network policy configured that allows PEAP.
A few other vulnerabilities from 2023 are also mentioned here:
- A denial of service vulnerability in Microsoft Protected Extensible Authentication Protocol (PEAP) can be exploited remotely to cause a denial of service.
- A remote code execution vulnerability in Microsoft Protected Extensible Authentication Protocol (PEAP) can be exploited remotely to execute arbitrary code.
- An information disclosure vulnerability in Microsoft Protected Extensible Authentication Protocol (PEAP) can be exploited remotely to obtain sensitive information.
The list of PEAP exploits keeps growing yearly, indicating that it is increasingly becoming vulnerable to threats. It is prudent that organizations start looking at alternatives to secure their network.
Alternatives to PEAP
PEAP is not the only authentication protocol in use today. As we mentioned previously, there are many iterations of EAP, some of which are more secure than others.
Most organizations use one of the following protocols to secure their network over-the-air:
- PEAP-MSCHAPv2
- EAP-TTLS/PAP
- EAP-TLS
- EAP-SIM
Of the options, we feel that EAP-TLS is the most secure due to its use of public-private key cryptography (digital certificates). Not only is it more secure, but it’s also a faster authentication method than many of its alternatives.
What is EAP-TLS?
EAP-TLS, also known as Extensible Authentication Protocol-Transport Layer Security, provides enhanced network security by allowing only authenticated users to access company data, resources, and applications. This is possible using X.509 digital certificates exclusively enabled by the EAP-TLS protocol. EAP-TLS is based on public-private key cryptography that eliminates the need for passwords and, in short, is a secure alternative to PEAP.
With the EAP-TLS protocol, exchanging private keys is mandatory to initiate communication between two parties; asymmetric encryption uses two pairs of public and private keys separately. The strength of the encryption makes it impossible to crack without knowing the hidden private key, so even intercepted communication is safe from prying eyes.
Benefits Of EAP-TLS
EAP-TLS has a lot of benefits from both the user experience and security point of view. Its use of digital certificates makes it significantly more secure than password-based authentication. Some other benefits of the EAP-TLS are listed here:
- EAP-TLS ties user and device identities with digital certificates that provide holistic visibility of anyone who uses the network.
- Since digital certificates cannot be duplicated, misplaced, or stolen, the admins can trace the user’s or device’s identity. This helps in case of any vulnerabilities or apparent signs of compromise on the network.
- EAP-TLS boosts user experience as they no longer have to remember lengthy, numerous passwords for various devices and applications.
- EAP-TLS uses advanced cryptographic features like elliptic curve cryptography (ECC), a key-based protocol for data encryption.
- ECC uses the elliptic curve theory that focuses on public-private key cryptography for data encryption and is compared to the RSA.
How is EAP-TLS Better Than PEAP Authentication?
The EAP-TLS and the PEAP authentication methods use the EAP protocol for authentication, where information is sent in packets through an encrypted tunnel.
So what makes EAP-TLS a better option than PEAP authentication?
First, EAP-TLS uses digital certificates for authentication. These certificates are usually authenticated by an authentication server such as Cloud RADIUS, ensuring only authorized users can access your network. This is already inherently more secure than PEAP-MSCHAPv2 since no credentials are being sent over-the-air that hackers can intercept.
The information exchange process between a device, AP, and RADIUS differ in EAP-TLS and the PEAP methods, but the TLS handshake is a factor that binds them together. EAP-TLS authenticates users and devices to the network in fewer steps than the PEAP authentication protocol. This may be insignificant for a few devices, but it makes a huge difference in an organization.
Organizations are riddled with a lot of users and devices that are looking to connect to a network. A shorter connect time would reduce the burden on the RADIUS, reducing the chances of redundancy.
Leverage Certificate-Based Authentication Powered By EAP-TLS with Securew2
EAP-TLS and PEAP use EAP to secure their data sent over the air. However, there is an array of superior features with EAP-TLS authentication. EAP-TLS is more secure than PEAP authentication as it leverages X.509 digital certificates compared to passwords.
With digital certificates, you can add more device context to your network. You can see the exact number of devices, their login time, location, operating system, and other significant attributes like the usage pattern and updates. Certificates add a layer of zero-trust security to your network.
SecureW2 offers superior EAP-TLS solutions with their managed PKI, custom-made device onboarding, and a CloudRADIUS server that can be deployed with your existing infrastructure.
Click here to avail custom made network solutions for your organization now.