PEAP Inner Tunnel Question

Stefan Paetow Stefan.Paetow at ja.net
Thu Apr 24 09:57:27 CEST 2014


PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0.

:-)

Stefan

-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of Casey Daniels
Sent: 23 April 2014 23:57
To: freeradius-users at lists.freeradius.org
Subject: PEAP Inner Tunnel Question

Sorry if this is a stupid question, but is there a way to control the 
Phase 2 Authentication method when doing PEAP?

My aim is to only allow MSCHAPV2, however, I also get a good reply from 
the Server if I select

None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant.

Or is phase 2 Authentication the prerogative of the supplicant?

I've attached the Debug output for When I tried to long on via no Phase 
2 Authentication,  though there was an interesting line that Appears in 
my debug output for many different modes (None, PAP, MD5, MSCHAP, 
MSCHAPv2) that worked.  Is freeradius forcing the supplicant into a 
MSCHAPv2 for the 2nd Phase ignoring what was selected?

(8) eap_peap : EAP type MSCHAPv2 (26)


However when I tried using GTC as the Phase 2 Authentication method it 
fails out (as expected) and I get

(7) eap_peap : EAP type NAK (3)

I've tried this or two different two of Supplicants (Android Phone, and 
Linux PC)

I've commented out any reference to pap, etc in config files and removed 
the link from mods-enabled.

Thank You,
Casey




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



More information about the Freeradius-Users mailing list