PEAP Inner Tunnel Question
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 24 13:25:55 CEST 2014
On 24/04/14 08:57, Stefan Paetow wrote:
> PEAP comes in two flavours for WPA (since you're using a wireless
> access point based on the debug): PEAPv0 (from Windows XP onwards)
> and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only
> works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds
> EAP-GTC as an inner mechanism, so chances are that yes, the
> supplicant will always select EAP-MSCHAPv2 if it only supports
> PEAPv0.
The wording of MS-PEAP - the only "formal" spec for PEAPv0 - is a bit
vague on this. "MSCHAP" is only mentioned once in the document as an
example of one valid inner, and 3.1.5.6 just says:
"""
PEAP implementations MUST only support a single EAP authentication
method per session with a type greater than or equal to 4, in addition
to supporting EAP TLV Extensions Method (and optionally SoH EAP
Extensions Method) in the same session.
"""
...so it's a bit vague, but implies that, per protocol spec, any EAP
inner is acceptable.
As others have noted, PEAPv0/EAP-TLS is used and usable. Whilst
Microsoft clients might not support it, I see no reason
PEAPv0/EAP-anything would fail, from a protocol level.
More information about the Freeradius-Users
mailing list