debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

Phil Mayers p.mayers at
Thu Aug 22 13:17:43 CEST 2013

On 22/08/13 10:54, Alan Buxey wrote:
> TLS in PEAP.  Yes I've seen it. And EAP-MSCHAPV2 in PEAP

PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no 
"bare" MSCHAP variant, because there's no spec for how to derive the 
MSCHAP challenge from the TLS master secret.

The EAP methods are all a pile of crap; it's truly disappointing how 
many hoops you have to jump through just because Microsoft gifted us a 
crappy EAP method, and everyone else slavishly implemented it.

Microsoft could solve a lot of problems right now by providing an API to 
execute EAP-PWD with the NT-hash variant of the secret against an AD 
controller. Instead, we're all flailing around with the very best of 
early 90s crypto protecting our wireless :o(

More information about the Freeradius-Users mailing list