Mac OSX + PEAP/MSCHAPv2 + Special characters in password

Olivier Beytrison olivier at
Wed May 14 14:44:27 CEST 2014


One of our institution reported that some of their users, using Mac OSX,
couldn't connect to eduroam. It appears that those users have special
characters in their password (éৣ ect).

I can log with such an account using Windows, iOS, Android or
eapol_test, but with the default settings on Mac OSX (PEAP/MSCHAPv2) it
fails : mschap : MS-CHAP2-Response is incorrect.

The current workaround at the moment is to deploy a .mobileconfig
profile to configure their 802.1x settings to use TTLS/PAP, which works

We spent some time debugging this issue with Arran and think that's an
implementation error by MacOSX regarding the encoding of the password
used to generated the hash for MSCHAPv2. But so far I wasn't able to
confirm it by looking at the Apple discussion forums.

Has anyone of you also encountered this issue ?

Olivier B.

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at

More information about the Freeradius-Users mailing list