4.1.1 Successful PEAP Phase 1 and 2 Negotiation

The following diagram depicts a complete PEAP authentication in which both phase 1 and phase 2 negotiations take place successfully.

As the authentication begins with a PEAP packet with the S bit set being sent to the peer, TLS negotiation occurs until a TLS session has been established. Once the TLS session has been established (the end of PEAP phase 1), all traffic is subsequently encrypted between the PEAP peer and the server, and phase 2 has begun. phase 2  begins with PEAP capabilities negotiation. During phase 2, the inner EAP method is negotiated and authentication occurs in a series of exchanges that depend upon the specific inner EAP method that is used.

Phase 2 concludes with an exchange of the EAP Extensions Method with the Result TLV (with success in the following case) within the TLS session. Subsequently, and outside the TLS session, an EAP success packet is sent to the peer by the EAP server.

Successful PEAP phase 1 and 2 negotiation

Figure 6: Successful PEAP phase 1 and 2 negotiation