Wi-Fi WPA EAP type negotiation question

Alan DeKok aland at deployingradius.com
Thu Dec 29 13:28:45 UTC 2022 

On Dec 28, 2022, at 10:41 PM, d tbsky <tbskyd at gmail.com> wrote:
>   I had used freeradius EAP-PEAP-MSCHAPv2 + EAP-PEAP-GTC with Wi-Fi
> for several years. I had a concept in mind (which seems wrong) that a
> client would send EAP requests blindly. so client and server should
> set up correct EAP type parameters before connection.

  There's a lot of confusion in that description.

  But there's no magic here.  EAP is relatively simple, and is well documented.  It goes roughly like this:

supplicant:	Hi, I'm Bob
server:		Let's do EAP-TLS
supplicant:	No, I want to do TTLS
server:		OK, here's EAP-TTLS

>  When I found that Win10 supports EAP-TTLS natively, I tried to use
> it. and I found that when I switch EAP-PEAP/EAP-TTLS settings at
> freeradius, Win10 and IOS/MacOS would detect it automatically and use
> the correct EAP type. I use "radiusd -X" to monitor the traffic, it
> seems freeradius would send something to the client at first response,
> although I don't know what's inside the EAP Message.

  There is no "detect" for EAP types.  You shouldn't use that word.  It's wrong, and it will confuse you.

  The supplicant and server both have a list of EAP types that they can do.  They communicate with each other, and negotiate one particular EAP type that they both are willing to use.

  That's it.

>  I found Win10 will auto detect/support
> EAP-PEAP-MSCHAPv2/PEAP-TTLS-GTC/PEAP-TTLS-PAP. IOS/MacOS will auto
> detect/support EAP-PEAP-MSCHAPv2/EAP-PEAP-GTC/EAP-TTLS-GTC. but
> IOS/MacOS didn't detect EAP-TTLS-PAP. so I don't know if
> "default_eap_type = pap" is a correct parameter under the ttls
> section.

  You do know.  You can try it, and see that it doesn't work.  The server won't start with that configuration, and will print out an error.

> Win10/Win11 will auto detect and accept PEAP-TTLS-GTC as
> PEAP-TTLS-PAP which seems strange but a good thing to me.Android seems
> lazy and doesn't auto-detect anything and just wants the user to input
> EAP parameters manually.

  You keep using the word "detect".  It's wrong.

>  Is there documents about what's behind the scene?  Can I decode the
> EAP Message to know what information is exchanged between client and
> server?

  There is a large amount of information on the net about how EAP works.  It's all publicly accessible.  Wikipedia is a good start.  And as Matthew said, the debug output tells you everything about what the server is doing.  Read it.

  But to be honest, if you're unfamiliar with basic EAP functionality, there is *no* point in decoding EAP packets.  That will just confuse you more.

  i.e. If you're having problems with EAP, don't try to understand something *new*.  Instead, make sure you understand the basic concepts of how EAP works.

  The actual "bytes on the wire" are much less useful than the basic concepts.  If you understand the basic concepts, then it becomes possible to understand the "bytes on the wire".  If you don't understand the concept, then you have way to even begin understanding the bytes being sent back and forth.

   Alan DeKok.

More information about the Freeradius-Users mailing list