On Tue, Aug 25, 2015 at 2:30 AM, Isaac Konikoff <isaac.konikoff@gmail.com> wrote:
I'm trying to authenticate a wifi client (wpa_supplicant) using eap-peap with phase2 autheap=md5. In debug output, eap-peap appears to finalize with mschapv2 but eap-ttls uses eap-md5. Can I force eap-peap to use eap-md5?
What's the exact configuration parameter you used in the wpa_supplicant network profile to set this? If that "phase2 autheap=md5" is to be interpreted as the exact form, it would be incorrect. To configure PEAP with EAP-MD5 in Phase 2, you would need to use phase2="eap=MD5" (i.e., "eap" instead of "autheap" which is only used with EAP-TTLS and "MD5" instead of "md5"). Without the eap parameter in phase2, wpa_supplicant would accept whatever the server proposes first (which, most commonly, with PEAP is EAP-MSCHAPv2). With the phase2 eap=MD5 parameter included, wpa_supplicant will accept only the specified EAP method in Phase 2, i.e., the initial EAP-MSCHAPv2 attempt would be NAK'ed and if the server supports EAP-MD5, it would be used instead. - Jouni