Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Because the TLS session has not yet been negotiated, the initial identity request/response occurs in the clear, without integrity protection or authentication. It is therefore vulnerable to snooping and packet modification.
If the initial EAP cleartext identity request/response has been tampered with, then, after the TLS session is established, it is conceivable that the PEAP server will discover that it cannot verify the peer's claim of identity. For example, the peer's user ID might not be valid or might not be within a realm handled by the PEAP server. In a case where the PEAP server is unable to validate the peer's identity claims, the PEAP server aborts the authentication.
Moreover, it cannot be assumed that the peer identities presented within multiple EAP-Response/Identity packets will be the same. For example, the initial EAP-Response/Identity might correspond to a machine identity, while subsequent identities might be those of the user. Thus, PEAP implementations do not need to abort the authentication just because the identities do not match. However, because the initial EAP-Response/Identity determines the EAP server handling the authentication, if this or any other identity is inappropriate for use with the destination EAP server, there is no alternative but to terminate the PEAP conversation.