LEAP Vs. PEAP
The Extensible Authentication Protocol, also known as EAP passes the authentication information between the supplicant (the Wi-Fi workstation) and the authentication server (Microsoft IAS or other). LEAP and PEAP are two types of EAP. But what are the differences between the two?
LEAP stands for Lightweight Extensible Authentication Protocol and PEAP stands for Protected Extensible Authentication Protocol. LEAP is more lightweight and less secure compared to PEAP but there are other small differences as well.
Now even though LEAP and PEAP are two different types of EAPs, there are a few fundamental differences between them. But to understand them, we must first understand what an EAP is.
Extensible Authentication Protocol (EAP)
The Extensible Authentication Protocol is capable of providing an authentication framework for both wireless and point-to-point networks. This protocol was primarily developed to enable secure transportation of various keying materials and all other related items that were created by the various methods included in the framework. The existing definition of this protocol was first included in the IETF’s RFC 3748 but was later updated by RFC 5247.
A lot of people believe that EAP is a wired protocol but that is in fact untrue. Firstly EAP is capable of working on both wired and wireless networks. Then secondly, EAP simply defines a format of messages that also allows other protocols to include or capture the EAP messages within any other messaging format. Since the release of the original EAP format, it has also found use in other newer security protocols as well.
EAP was developed for providing an authentication framework but not an authentication mechanism and, therefore, provides defined methods for implementing applications for leverage. Ever since the release of the original version of EAP the vendors have come up with various renditions of their own “add ons” and methods as well. Although some of these add-ons have been included in the proposed updates for the EAP standard, they have not yet been adopted widely.
Lightweight Extensible Authentication Protocol (LEAP)
The Lightweight Extensible Authentication Protocol is a method that was first developed by Cisco Systems. Then they decided to distribute this protocol through the CCX (Cisco Certified Extensions) as part of getting 802.1X and dynamic WEP. This was designed for mass adoption into the industry since there were no standards set for this industry at that point.
A problem with LEAP is that it is not supported by the Windows operating system. However, there are ways of circumventing this problem. Leap is often supported by other third parties and their client software. They are usually included in the WLAN devices.
LEAP support for Microsoft Windows 7 and beyond can be downloaded by installing a client add-in from Cisco themselves. Again, due to the popularity and mass adoption of LEAP, a lot of WLAN vendors claim to support this protocol.
LEAP is not a very secure option as it uses a slightly altered version of MS-CHAP which leaves the user’s data open to compromises.
Cisco currently does not recommend the use of LEAP and suggests the use of their other more protected protocols instead. However, if you must use LEAP, then it is recommended that you put up an overly complicated password. EAP protocols such as EAP-FAST, PEAP, or EAP-TLS are what Cisco recommends instead of LEAP as they are stronger and more advanced.
Protected Extensible Authentication Protocol (PEAP)
The Protected Extensible Authentication Protocol is a newer rendition of the EAP that is predominantly focused on security. It fully encapsulates the spirit of its predecessor EAPs and is designed to work along with the Transport Layer Security (TLS) tunnel that is authenticated despite being under encryption.
The primary reason for developing the PEAP system was to eliminate all the problems that plagued the other older versions of EAP. One of these deficiencies was that the protocol assumed the safety of the channels.
Therefore, the older versions of EAP had no systems in place to provide security to these channels. And thus, when EAP messages were discovered in the “clear” they did not provide the protection that was assumed when the protocol was originally developed. PEAP was designed to change that.
The Protected Extensible Authentication Protocol was thus created as a joint effort between RSA Security, Microsoft, and Cisco Systems.
Since this was co-developed by Microsoft, the very first version of PEAP was included as a bundle alongside Microsoft Windows XP, and not only that, the next two versions, namely PEAPv1 and PEAPv2 were also included in the subsequent releases of the Windows operating systems.
LEAP Vs. PEAP
While they are both different versions of the EAP protocol, one of them is clearly better than the other. PEAP is newer and more secure than LEAP and thus better in most ways in comparison. LEAP uses a slightly altered version of the MS-Chap and is therefore prone to security flaws. There is no encryption to be found in LEAP and is thus only protected by a password.
LEAP uses TKIP and dynamic WEP keys whereas PEAP uses server-side PKI to build an encrypted EAP-TLS tunnel between the client and server instead of using TKIP and dynamic WEP keys.
PEAP is the new industry standard and is far more capable than LEAP. PEAP is used to combat the scalability issues of TLS and offers encryption over the password security that LEAP has to offer. And since PEAP was co-developed by Microsoft, it is also offered as a bundle with Windows software. And then again, being newer, it is also more likely to receive support for longer from its manufacturer.
Which Should You Choose?
Unless your workflow heavily depends on LEAP or most of your infrastructure is deeply integrated with LEAP, PEAP is easily the superior option here. Even Cisco itself recommends PEAP over LEAP because of the security concerns.
To combat the security issue, Cisco advises LEAP users to use strong and convoluted passwords but that can be difficult if in corporate environments. So, it is best to use PEAP if you are considering between LEAP and PEAP. However, Cisco also offers a lot more EAP options and if you do not like PEAP, you may look into them as well.
