Re: Can anyone tell me how PEAP works and how to set up on my 12
PEAP just like LEAP, EAP-FAST, EAP-TLS is one of the 802.1x/EAP authentication methods used in WPA Enterprise. You can also use 802.1x/EAP without WPA. This is different from WPA-PSK. WPA-PSK doesn't use 802.1x authentication methods. In WPA-PSK you simply enter the same passphrase on client and AP. This passphrase is used to calculate the actual encryption keys used by TKIP or AES-CCMP encryption methods.
With WPA enterprise, you must have an authentication server (RADIUS). AP doesn't actually care which 802.1x authentication method you are using. AP ("authenticator") simply converts Client's 802.1x messages to RADIUS messages and forwards them to the authentication server (Cisco ACS, Microsoft IAS, etc), and then converts RADIUS messages from the authentication server back to 802.1x messages and forwards them to the client ("supplicant").
You can either uses your RADIUS server or you can also configure Local RADIUS (local usernames) on the AP. You can't use both at the same time, but you can failover from your RADIUS server to the Local RADIUS, if you wish. When using RADIUS server, AP doesn't care which 802.1x/EAP method you use, there's no EAP configuration on the AP (only EAP timeout settings and such). It's up to the supplicant to tell Authentication server which EAP method it wants to use, and it's up to the Authentication server to support that EAP method. When using Local RADIUS on the AP, AP must understand the 802.1X/EAP method that supplicant wants to use. Cisco Local RADIUS service supports only LEAP, EAP-FAST and EAP-TLS, but not PEAP, therefore you won't be able to use PEAP with local RADIUS server in your case, you must use external server (Cisco ACS or Microsoft IAS).
If you had Wireless LAN controller with lightweight APs, then you could set up WLC with Local RADIUS authentication and PEAP. WLC supports local RADIUS with LEAP, EAP-FAST, EAP-TLS *and* PEAP.
Here's the basic configuration for an autonomous IOS AP if you are planning to use an external Authentication server that supports PEAP (as well as LEAP, EAP-FAST, and EAP-TLS):
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
aaa authentication login eap_methods group rad_eap