Which protocol encapsulates EAP in an encrypted TLS tunnel?

Protected Extensible Authentication Protocol (PEAP) encapsulates EAP within a secure, encrypted Transport Layer Security (TLS) tunnel. This design enhances security by preventing interception and tampering of authentication messages during the authentication process. PEAP typically requires a server-side certificate, allowing clients to authenticate the server before establishing a secure connection, thus adding an additional layer of trust and security.

By using PEAP, organizations can implement a more secure method for authenticating users within networks, particularly in scenarios requiring secure wireless connections. The encapsulation in the TLS tunnel ensures that sensitive information, such as user credentials, is not sent in plaintext, protecting it from eavesdroppers. This makes PEAP a favored choice in environments requiring enhanced security for network access authentication.