But, I don't completely understand PEAP, and how it relates to MS-CHAP v2.
PEAP first establish a TLS tunnel (and thus uses the freeradius eap 'tls' module). Then a new Request is sent protected by this TLS tunnel. This inner request can be based on ms-chapv2 or another EAP method).
I want to try to use PEAP to secure my network.
Here is my current eap.conf
eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom }
Take care to setup the freeradius certificate/private key cause it will be used to establish the first TLS tunnel. Also take care to install the cacert in the client certificate store.
peap { default_eap_type = mschapv2 } mschapv2 { } }
I have eap in authenticate and authorize. What else do I need to do, and are there more dictionaries.
Should be enough for the Freeradius part (I suppose you have define your APs in the clients.conf file). Configure the radius parameters in your AP and setup the PEAP client to check the freeradius server's name and certificate to be protected from Man in the middle attacks. Thibault