Using PEAP for wireless authentication

PEAP creates an encrypted TLS tunnel between the client and the authentication server. The keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

Use a trusted certificate for authentication: The RADIUS server must be configured with a digital certificate that is signed by a trusted certificate authority (CA), using a private or a public CA.
Validate the server certificate on all clients: All PEAP clients must validate the server certificate for authentication. A Trusted Root CA, that issued the server certificate, must be installed in client.





Reference:
http://www.networkworld.com/columnists/2007/042307-wireless-security.html
http://revolutionwifi.blogspot.com/2010/09/peapv0-packet-flow-reference.html
http://www.keyboardlife.net/2010/06/8021x-port-based-authentication-wired.html