On Thu, Sep 29, 2016 at 06:34:10PM +0100, Graham Clinch wrote:
I've swapped all occurances of 'eap' in the inner-tunnel site to 'inner-eap' and now see PEAP/EAP-MSCHAPv2 authentications complete with one fewer roundtrip, which feels like an improvement. Is there a reason inner-eap is not used in the default inner-tunnel site?
The default "eap" config has default_eap_type = md5 which will be NAK'd on the first round trip. You should set it to the EAP method you're most commonly going to use. The "inner-eap" config has default_eap_type = mschapv2 which you're using, so saves one RT because the server and client agree the first time around. You'd use the inner-eap config when you're doing e.g. PEAP/EAP-TLS, i.e. EAP (EAP-TLS) inside of EAP (PEAP). In which case your inner-tunnel config would call inner-eap instead of eap (which would be the same module twice, which wouldn't end nicely). Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>