PEAPv1(EAP-GTC) config with Cisco ACS

Jouni Malinen j at
Tue Mar 17 04:55:40 EDT 2009

On Tue, Mar 17, 2009 at 11:36:17AM +1100, Ben Carbery wrote:

> So by 'PAP not MSCHAP', I think I am implying PEAPv1? This is because the
> ACS is using LDAP as a backend database for the authentication, and LDAP
> does not support MSCHAP. This might be incidental to the configuration
> though if EAP negotiates the correct settings..

PEAPv0 vs v1 is not really that important, but the use of EAP-GTC as the
inner method is key if you need plaintext password which seems to be the
case here.

> Here are my debug logs after a bit of a clean-up. There were actually two
> connection attempts in the original file, but they appeared to have such
> different content that I split it into two files for clarity. It's possible
> the second attempt is being denied due to 'too many attempts' so possibly
> the first file is the relevant one.

The first file seems to indicate that your driver is trying to use PMKSA
caching and it does not even get into EAP authentication at all.. Which
driver are you using?

The second one does the same in the beginning, but then eventually gets
to actually trying to use EAP. However, the authentication is rejected
immediately after providing the user identity and as such, it does not
really tell much about what could have been failing in the first attempt
(which likely happened before the wpa_supplicant.log.1).

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list