That is a good article. However, it does not really address the specific differences, advantages/disadvantages of MS PEAP vs. Cisco PEAP.

I doubt that you will find a such an article. Most articles will be written for marketing purposes - so only the good parts will be seen. The advantages/disadvantages will be more subjective than objective. Cisco LEAP must use Aironet clients or CCX clients. MS PEAP requires certificates be loaded onto the clients and a CA available on the network. So it is a trade off. LEAP doesn't use certificates, but only certian clients/Radius Servers support LEAP. MS-PEAP requires clients capable of handling certificates and if you don't have a local CA, you will need to pay for them. MS-PEAP may only be handled by certian Radius servers. It usually comes down to these details (how much money can we spend on this) that determines which protocol to go with.

Have you gone through the PEAP FAQ:

http://www.cisco.com/en/US/partner/netsol/ns339/ns395/ns176/ns178/netqa0900aecd801764fa.html

Just in case that you do not have access to the above URL. I attach the document in pdf format.

I think that PEAP-GTC does not provide the propietary Windows management function, like single signon, logon script, and etc.

All 802.1x types behave the same regarding clear text user name. When a wireless client initiates the association process, it sends out a frame called EAPOL start (EAPOL stands for EAP over LAN). The AP responds with identity request. Then, the wireless clients respond with a user name in clear text. I do not know any 802.1x types send password in clear text.

You can configure machine authentication on PEAP MS-XHAP v2; so that it sends machine name in clear text.

I am surprised to hear this about PEAP. I know LEAP had this issue of sending the username in plaintext, thus leading to it's recent vulnerabilities of offline dictionary attacks. The application asleap is said to be able to break the LEAP protocol pretty quickly. However, one of the big advantages EAP-FAST has over LEAP is it does not send the username in plain text. However, if PEAP also sends the username in plain text I don't see why it's any more secure than LEAP.

The username is transmitted in clear text before the TLS tunnel is built. Machine ID is normally sent in PEAP-MS CHAP v2. I think that mac address is used in EAP-FAST.

After a secured tunnel is built, the username is encrypted. Thus, wireless sniffer is unable to decode the username.

I'm having a little bit of trouble understanding what you meant. If the username is transmitted in clear text before the TLS tunnel is built, then how come a wireless sniffer could not detect the username?

You are absolutely correct that wireless sniffer can capture the username before the TLS tunnel is built. However, there is a user authentication in the TLS tunnel. I meant that the user name in the TLS tunnel cannot be captured.

Glad that cleared up. My next question for clarification is does PEAP (either version) send the username in clear text initially? If it does, why is it any more secure than LEAP?

During my testing with MS-PEAP I had machine authentication on. When the computer boots, the computer performs a machine authentication (before the ctrl-alt-del screen appears) into the AD domain. I can see the machine ID (computer name) in the clear before the tunnel is created. Once the user logs into the computer, another EAP authentication occurs. During this authentication the username is sent in the clear before the tunnel is created.

All of Microsoft’s documentation on PEAP gives the perception that all authentication credentials are transmitted within the tunnel. Which is not the case.

I have not tested the Cisco PEAP client but when I opened a Cisco case (600215327) the TAC stated:

“Whether the username is sent in the clear in phase one of PEAP authentication, depends upon the client you are using. The Cisco Aironet PEAP client sends the username through the SSL tunnel only. The initial identity, used in phase one and which is sent in the clear, is MAC address of the end-user client with "PEAP_" as a prefix. The Microsoft PEAP client does not provide identity protection; the Microsoft PEAP client sends the username in the clear in phase one of PEAP authentication”.

Rob

As per my previous postings, all 802.1x types (including PEAP and LEAP) send out user name in clear text.

LEAP only uses one username. Thus, the LEAP user name is sent in clear text.

You can use two user names (i.e. machine ID and user ID) in PEAP MS-CHAP v2. Machine ID is sent in clear text. User ID is encrypted.

Then I must be doing something wrong. If I perform a user only authentication with mschap-v2, the user ID is sent in the clear before the tunnel is created. If I do both machine and user, the machine ID AND user ID are both sent in the clear. The machine and user authentications are handled as 2 separate EAP authentications. How can I stop this?

Rob