On 24/04/14 08:57, Stefan Paetow wrote:
PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0.
The wording of MS-PEAP - the only "formal" spec for PEAPv0 - is a bit vague on this. "MSCHAP" is only mentioned once in the document as an example of one valid inner, and 3.1.5.6 just says: """ PEAP implementations MUST only support a single EAP authentication method per session with a type greater than or equal to 4, in addition to supporting EAP TLV Extensions Method (and optionally SoH EAP Extensions Method) in the same session. """ ...so it's a bit vague, but implies that, per protocol spec, any EAP inner is acceptable. As others have noted, PEAPv0/EAP-TLS is used and usable. Whilst Microsoft clients might not support it, I see no reason PEAPv0/EAP-anything would fail, from a protocol level.