Showing results for 
Search instead for 
Did you mean: 


Level 1
Level 1

Hello All,

I've read an article by George Ou and he mentions that a main difference between PEAP-TLS and EAP-TLS is that the client certificate in PEAP-TLS is partially encrypted and EAP-TLS does not. Does this simply mean that the certificate in PEAP-TLS cannot be exported where EAP-TLS can? Can anyone shed more information on the differences between these two EAP methods? I know PEAP-TLS is only supported by Microsoft.



2 Replies 2

Level 1
Level 1

I just found the doc I think you've read on the web. It's pretty good.

What he's talking about is that when you initially authenticate, PEAP-EAP-TLS establishes a TLS tunnel before sending any authentication credentials. Straight EAP-TLS does it's first phase in the clear, so certain information is visable. It's not really anything to do with whether a certificate is exportable or not on the client device (which is what I think you mean). I think I've got that right, but I'm going from memory.

Differences? Basically the most secure method is PEAP-EAP-TLS (PEAP-GTC is good too). EAP-TLS is almost as good, and PEAP-MSCHAPv2 is a weaker. PEAP is Mircosoft's implementation that encapsulates other EAP types. Other vendors do sometimes write PEAP functions into there software, so it's not only supported by Microsoft, but you need to check on a device by device basis as they don't always support all functions. e.g. Cisco adapters support PEAP-MSCHAPv2 and PEAP-GTC, and EAP-TLS directly in the ADU utility. But they only support raw EAP-TLS as far as I know (unless anybody knows different?). i.e. they don't support PEAP-EAP-TLS. You need to use XP Zero instead.

Thanks for answerign the post! There isn't alot of documentation regarding PEAP-TLS.

Here is his quote from the document:

"PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information."

It really sounds like he's talking about the certificate that exists locally. I was hoping to find out how ecrypting them locally would affect exportation of these certificates.If I'm wrong, wouldn't the TLS tunnel built using the server's certificate just be hiding the user ID (or machine ID)? Is that the only benefit?

Your right about Cisco not supporting PEAP-TLS.

Review Cisco Networking for a $25 gift card