Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
On 22/08/13 10:54, Alan Buxey wrote:
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no "bare" MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret. The EAP methods are all a pile of crap; it's truly disappointing how many hoops you have to jump through just because Microsoft gifted us a crappy EAP method, and everyone else slavishly implemented it. Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o(
Phil Mayers wrote:
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no "bare" MSCHAP variant, because there's no spec for how to derive the MSCHAP challenge from the TLS master secret.
FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP.
Microsoft could solve a lot of problems right now by providing an API to execute EAP-PWD with the NT-hash variant of the secret against an AD controller. Instead, we're all flailing around with the very best of early 90s crypto protecting our wireless :o(
Pretty much. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Phil Mayers