PEAP (Protected EAP) wraps EAP in a TLS tunnel, protecting credentials in transit. Common in enterprise Wi-Fi — EAP-MSCHAPv2 for user authentication inside PEAP tunnel.
PEAP requires a server certificate but NOT client certificates (easier to deploy than EAP-TLS). EAP-TLS requires both server and client certificates (most secure). PEAP is the most common enterprise Wi-Fi authentication method.