PEAP Inner Tunnel Question

Phil Mayers p.mayers at imperial.ac.uk
Thu Apr 24 13:25:55 CEST 2014


On 24/04/14 08:57, Stefan Paetow wrote:
> PEAP comes in two flavours for WPA (since you're using a wireless
> access point based on the debug): PEAPv0 (from Windows XP onwards)
> and PEAPv1. PEAPv0 (which Microsoft only refers to as PEAP) only
> works with EAP-SIM or EAP-MSCHAPv2. PEAPv1 (supported by Cisco) adds
> EAP-GTC as an inner mechanism, so chances are that yes, the
> supplicant will always select EAP-MSCHAPv2 if it only supports
> PEAPv0.

The wording of MS-PEAP - the only "formal" spec for PEAPv0 - is a bit 
vague on this. "MSCHAP" is only mentioned once in the document as an 
example of one valid inner, and 3.1.5.6 just says:

"""
PEAP implementations MUST only support a single EAP authentication 
method per session with a type greater than or equal to 4, in addition 
to supporting EAP TLV Extensions Method (and optionally SoH EAP 
Extensions Method) in the same session.
"""

...so it's a bit vague, but implies that, per protocol spec, any EAP 
inner is acceptable.

As others have noted, PEAPv0/EAP-TLS is used and usable. Whilst 
Microsoft clients might not support it, I see no reason 
PEAPv0/EAP-anything would fail, from a protocol level.


More information about the Freeradius-Users mailing list