Which EAP variant employs MS-CHAPv2 for mutual authentication?

The correct choice is EAP-PEAP. EAP-PEAP (Protected Extensible Authentication Protocol) is designed to provide an additional layer of security by encapsulating a second EAP exchange within a secure TLS tunnel. This tunnel protects the authentication information, such as the MS-CHAPv2 used for authenticating clients.

In EAP-PEAP, the server presents a certificate to the client, establishing a secure connection, followed by mutual authentication where the client utilizes MS-CHAPv2 to authenticate to the server. This method effectively safeguards against eavesdropping and man-in-the-middle attacks, making EAP-PEAP a preferred method in environments where security is paramount.

In contrast, LEAP (Lightweight EAP) is an older protocol developed by Cisco that does not utilize MS-CHAPv2 but rather relies on a different mechanism for authentication. EAP-TLS employs certificate-based authentication for both the client and the server and does not use MS-CHAPv2 as part of its process. RADIUS, although it is often associated with supporting EAP, is not an EAP variant itself and does not specifically use MS-CHAPv2 for mutual authentication.