PEAP Inner Tunnel Question
Stefan Paetow
Stefan.Paetow at ja.net
Thu Apr 24 09:57:27 CEST 2014
PEAP comes in two flavours for WPA (since you're using a wireless access point based on the debug): PEAPv0 (from Windows XP onwards) and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds EAP-GTC as an inner mechanism, so chances are that yes, the supplicant will always select EAP-MSCHAPv2 if it only supports PEAPv0.
:-)
Stefan
-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of Casey Daniels
Sent: 23 April 2014 23:57
To: freeradius-users at lists.freeradius.org
Subject: PEAP Inner Tunnel Question
Sorry if this is a stupid question, but is there a way to control the
Phase 2 Authentication method when doing PEAP?
My aim is to only allow MSCHAPV2, however, I also get a good reply from
the Server if I select
None, PAP, MD5, MSCHAP, or MSCHAPv2 on the supplicant.
Or is phase 2 Authentication the prerogative of the supplicant?
I've attached the Debug output for When I tried to long on via no Phase
2 Authentication, though there was an interesting line that Appears in
my debug output for many different modes (None, PAP, MD5, MSCHAP,
MSCHAPv2) that worked. Is freeradius forcing the supplicant into a
MSCHAPv2 for the 2nd Phase ignoring what was selected?
(8) eap_peap : EAP type MSCHAPv2 (26)
However when I tried using GTC as the Phase 2 Authentication method it
fails out (as expected) and I get
(7) eap_peap : EAP type NAK (3)
I've tried this or two different two of Supplicants (Android Phone, and
Linux PC)
I've commented out any reference to pap, etc in config files and removed
the link from mods-enabled.
Thank You,
Casey
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
More information about the Freeradius-Users
mailing list