help with configs for eap-md5

Jouni Malinen jkmalinen at gmail.com
Tue Aug 25 14:28:08 CEST 2015


On Tue, Aug 25, 2015 at 2:30 AM, Isaac Konikoff
<isaac.konikoff at gmail.com> wrote:
> I'm trying to authenticate a wifi client (wpa_supplicant) using eap-peap
> with phase2 autheap=md5. In debug output, eap-peap appears to finalize with
> mschapv2 but eap-ttls uses eap-md5. Can I force eap-peap to use eap-md5?

What's the exact configuration parameter you used in the
wpa_supplicant network profile to set this? If that "phase2
autheap=md5" is to be interpreted as the exact form, it would be
incorrect. To configure PEAP with EAP-MD5 in Phase 2, you would need
to use phase2="eap=MD5" (i.e., "eap" instead of "autheap" which is
only used with EAP-TTLS and "MD5" instead of "md5"). Without the eap
parameter in phase2, wpa_supplicant would accept whatever the server
proposes first (which, most commonly, with PEAP is EAP-MSCHAPv2). With
the phase2 eap=MD5 parameter included, wpa_supplicant will accept only
the specified EAP method in Phase 2, i.e., the initial EAP-MSCHAPv2
attempt would be NAK'ed and if the server supports EAP-MD5, it would
be used instead.

- Jouni


More information about the Freeradius-Users mailing list