debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

Alan DeKok aland at
Thu Aug 22 15:06:31 CEST 2013

Phil Mayers wrote:
> PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
> "bare" MSCHAP variant, because there's no spec for how to derive the
> MSCHAP challenge from the TLS master secret.

  FWIW: PEAP is TLS + inner EAP.  That's why there's no PAP / CHAP /
MS-CHAP inside the tunnel.  It *has* to be EAP.

> Microsoft could solve a lot of problems right now by providing an API to
> execute EAP-PWD with the NT-hash variant of the secret against an AD
> controller. Instead, we're all flailing around with the very best of
> early 90s crypto protecting our wireless :o(

  Pretty much.

  Alan DeKok.

More information about the Freeradius-Users mailing list