EAP, LEAP, and PEAP – CompTIA Security+ SY0-401: 1.5


Wireless authentication is handled using one of the EAP family of protocols. In this video, you’ll learn the differences between the EAP, LEAP, and PEAP authentication protocols.

<< Previous Video: Wireless EncryptionNext: MAC Address Filtering >>


Now that you’ve decided how to encrypt the data going over your network, we now need to think about how we authenticate people to be able to use the wireless network. And there are some standard protocols you can use to do that. There’s EAP, there’s PEAP, and there’s LEAP to look at.

EAP, or eap, or extensible authentication protocol is a very common set of frameworks that can be used to authenticate people onto things like wireless networks. For instance, WPA2 and WPA use five different EAP types as authentication mechanisms. A very common way of setting up the authentication methods, especially early on in wireless networks, was created as a proprietary method by Cisco. And it’s called LEAP, that stands for light weight extensible authentication protocol.

One of the nice things about LEAP, and the reason that it’s called light weight, is that you don’t have to set up any digital certificates whatsoever. There’s no PKI involved. You simply use passwords and you’re able to communicate between your authentication methods and your wireless access points. This is based on Microsoft CHAP, which means that the information that’s being sent between these devices has a few security shortcomings.

A large amount of this traffic is in the clear. Even if it’s being hashed, you’re still able to see it without any special type of encryption going by. So most people think, eh, they would like a little more encryption on their wireless network, especially for their authentication. Most of the time then, you’d be implementing something like PEAP, which stands for protected extensible authentication protocol.

This was created by Cisco and Microsoft and RSA Security to come up with a way to encrypt all of this communication. That’s very much a standard and it networks across many different wireless devices. What this essentially does is create a TLS tunnel. Most people think of this as an SSL tunnel, which means you only need a certificate on the authentication server. And that way the authentication communication is all encrypted within that tunnel.