![Meddane_0-1721065167968.png Meddane_0-1721065167968.png](https://community.cisco.com/t5/image/serverpage/image-id/223464i64BB53B52EC78282/image-size/large?v=v2&px=999)
EAP runs over Layer 2 of the OSI model, the data link layer, and doesn't require Layer 3 IP connectivity.
EAP Packet sent by the endpoint does not have L3 and L4 headers, the L7 data is encapsulated by EAP protocol with L2 informations. The source MAC address is the endpoint. For the destination MAC address, 802.1X uses the reserved multicast MAC address Nearest (01:80:c2:00:00:03).
![Meddane_1-1721065167972.png Meddane_1-1721065167972.png](https://community.cisco.com/t5/image/serverpage/image-id/223465i4D84F68086D6FCDD/image-size/large?v=v2&px=999)
PEAP is an outer method to secure the inner method such as MSCHAPv2. To do this, PEAP has two phases Phase 1 and Phase 2, the first phase is negociated to establish a secure TLS tunnel like the SSL Handshake for HTTPS traffic. The Second phase is used to negociate the client authentication process securely for example user identity (username) and the challenge response to verify the password.
In the PEAP Phase 1, the endpoint sends an EAP Response-Identity message to answer the EAP Request-Identity sent by the NAD (Switch for example). The Supplicant can send the real username or anonymous as the username.
![Meddane_2-1721065167973.png Meddane_2-1721065167973.png](https://community.cisco.com/t5/image/serverpage/image-id/223463iB42904AB7D364FDF/image-size/large?v=v2&px=999)
The Switch encapsulates the EAP packet with Layer 3 and Layer 4 headers to create a Radius Access-Request so that it can be routed to Cisco ISE.
![Meddane_3-1721065167976.png Meddane_3-1721065167976.png](https://community.cisco.com/t5/image/serverpage/image-id/223466i517577F1F28CD14E/image-size/large?v=v2&px=999)
Subsequent messages are exchanged to negociate the outer Method, PEAP in this case. As shown below both Endpoint and Cisco ISE agree to use PEAP as the desired inner method.
![Meddane_4-1721065167977.png Meddane_4-1721065167977.png](https://community.cisco.com/t5/image/serverpage/image-id/223467iFB605E1548AF2D9E/image-size/large?v=v2&px=999)
![Meddane_5-1721065167980.png Meddane_5-1721065167980.png](https://community.cisco.com/t5/image/serverpage/image-id/223468i2522EC629BC25C9F/image-size/large?v=v2&px=999)
A this stage, the TLS negociation starts between the endpoint and Cisco ISE.
The endpoint sends a Client-Hello inside the EAP packet containing the supported ciphers (ciphersuites).
![Meddane_6-1721065167982.png Meddane_6-1721065167982.png](https://community.cisco.com/t5/image/serverpage/image-id/223469i6748108E28D738EA/image-size/large?v=v2&px=999)
The switch relay the Client Hello inside the Radius Access-Request packet.
![Meddane_7-1721065167985.png Meddane_7-1721065167985.png](https://community.cisco.com/t5/image/serverpage/image-id/223470i0B984FFACE83C2AA/image-size/large?v=v2&px=999)
The server replies with a Server Hello in the Radius Access-Challenge packet with the chosen cipher and the server certificate of Cisco ISE.
![Meddane_8-1721065167989.png Meddane_8-1721065167989.png](https://community.cisco.com/t5/image/serverpage/image-id/223471iE5C24A0A1FE53EE5/image-size/large?v=v2&px=999)
The switch relay the Server Hello in the EAP packet to the endpoint.
![Meddane_9-1721065167992.png Meddane_9-1721065167992.png](https://community.cisco.com/t5/image/serverpage/image-id/223472i6B1F4FD1CDD38F35/image-size/large?v=v2&px=999)
The endpoint validates the Server Certificate and sends a Client Key Exchange with the pre_master secret encrypted with the server's public key retrieved from the certificate.
![Meddane_10-1721065167994.png Meddane_10-1721065167994.png](https://community.cisco.com/t5/image/serverpage/image-id/223473i0F64BBE92DC67643/image-size/large?v=v2&px=999)
The switch encapsulates the EAP packet containing the Client key Exchange with Radius and sends a Radius Access-Request message.
![Meddane_11-1721065167997.png Meddane_11-1721065167997.png](https://community.cisco.com/t5/image/serverpage/image-id/223474iA8E70B0AF33CB70E/image-size/large?v=v2&px=999)
Cisco ISE decrypts the encrypted pre-master key using its own private key, and sends a Change Cipher Spec in the Radius Access-Challenge.
![Meddane_12-1721065168000.png Meddane_12-1721065168000.png](https://community.cisco.com/t5/image/serverpage/image-id/223476i169D7A3B052839F6/image-size/large?v=v2&px=999)
The switch relay an EAP packet containing the Change Cipher Spec to the endpoint.
![Meddane_13-1721065168002.png Meddane_13-1721065168002.png](https://community.cisco.com/t5/image/serverpage/image-id/223475i289BE0A8E627805B/image-size/large?v=v2&px=999)
Now both Endpoint and Cisco ISE generate the session key that will be used to encrypt the phase 2 or the inner method MSCHAPv2 negociation and to securely authenticate the endpoint as show below.
![Meddane_14-1721065168004.png Meddane_14-1721065168004.png](https://community.cisco.com/t5/image/serverpage/image-id/223477i174E9FE69082BB3F/image-size/large?v=v2&px=999)
![Meddane_15-1721065168007.png Meddane_15-1721065168007.png](https://community.cisco.com/t5/image/serverpage/image-id/223478iD4CAFAA7FDAEF125/image-size/large?v=v2&px=999)
If the user enter a valid username and password, Cisco ISE will send a Radius Access-Accept message with EAP-Success in the L7 informations.
![Meddane_16-1721065168010.png Meddane_16-1721065168010.png](https://community.cisco.com/t5/image/serverpage/image-id/223479iF49F8C2006316983/image-size/large?v=v2&px=999)
Finally the Switch sends an EAP message EAP-Success to the Endpoint.
![Meddane_17-1721065168011.png Meddane_17-1721065168011.png](https://community.cisco.com/t5/image/serverpage/image-id/223480i81A0ECA349DE0D85/image-size/large?v=v2&px=999)