Skip to content
EAP-PEAP

EAP-PEAP overview

EAP-PEAP authenticates users with a username and password carried inside a TLS tunnel. It is the variant for audiences that do not have certificates: employees, contractors, vendor teams, and event staff. Only the RADIUS server needs a certificate, which keeps it the simplest 802.1X variant to deploy.

At a glance

Credential
Username and password
Identity source
Local accounts, optionally Microsoft Entra group membership
Certificates
RADIUS server certificate only — no client certificates
Best for
Employees, contractors, and event staff without certificates
Self-service
Personal accounts and delegated group administration
Status
Available

PEAP builds a TLS tunnel using the context’s RADIUS server certificate, and the user’s username and password are exchanged inside that tunnel so the credentials are never sent in the clear. Because only the server holds a certificate, there is no client-side certificate to issue or manage — the trade-off that makes PEAP easy to roll out.

PEAP suits any audience that authenticates with a password rather than a certificate. A common pattern is one group per audience — one for employees, one for a contractor firm, one for an event cohort — each carrying its own network policy and run day to day by that audience’s own lead rather than by central IT.

PEAP is not certificate-based authentication. For managed or unattended device fleets where the device itself must be trusted, use EAP-TLS — Device certificate; for employees whose access follows Microsoft Entra group membership, use EAP-TLS with Entra. PEAP can run on the same context as either, so a mixed fleet is served from one RADIUS service.

Next