3.1.5.4 Phase 1 (TLS Tunnel Establishment)
Phase 1 of PEAP is a slightly modified implementation of EAP-TLS, as specified in [RFC5216], the only differences being:
A PEAP peer MAY send a certificate when requested by a PEAP server.
Implementations MUST set the Type field of the EAP packets to 25 (PEAP).
The TLS version supported MUST correspond to TLS v1.0.
To ensure interoperability, PEAP peers and PEAP servers MUST be able to negotiate the following TLS cipher suites (as specified in [RFC2246] section A.5):
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
For more information on the semantics associated with phase 1 of PEAP, see sections 3.2.5.2 and 3.3.5.2.