Username on EAP-MSCHAPv2

Jouni Malinen jkmaline at cc.hut.fi
Wed Feb 14 22:38:39 EST 2007


On Mon, Dec 04, 2006 at 11:31:29AM +0530, ramprasad.rajendran at wipro.com wrote:

> I am using wpa_supplicant version 0.5.5 and hostapd 0.4.9 as the
> authenticator cum RADIUS.
> I am testing with EAP-MSCHAPv2

Only with EAP-MSCHAPv2 or with protected tunnel, e.g.,
EAP-PEAP/MSCHAPv2? If you are using only EAP-MSCHAPv2, please note that
it does not generate long enough key by default and may not be useful if
you need dynamic keying (and I would not really recommend using MSCHAPv2
without the encrypted tunnel anyway).

> The username in the hostapd's user and password file has the format
> DOMAIN\user.
> 
> I tried setting the username at the configuration file at the supplicant
> to user at DOMAIN, DOMAIN\user, but gets rejected.
> Is there any particular format in which the user name must be used for
> MSCHAPV2.

Yes, DOMAIN\user is the only format currently supported for the case
where domain part needs to be removed for challenge/response validation.
I did a quick test with EAP-PEAP with EAP-MSCHAPv2 as the inner
authentication method and it seemed to work fine between wpa_supplicant
0.5.x and hostapd 0.4.x when using DOMAIN\user format for the user name.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list