PEAPv1(EAP-GTC) config with Cisco ACS
j at w1.fi
Tue Mar 17 04:55:40 EDT 2009
On Tue, Mar 17, 2009 at 11:36:17AM +1100, Ben Carbery wrote:
> So by 'PAP not MSCHAP', I think I am implying PEAPv1? This is because the
> ACS is using LDAP as a backend database for the authentication, and LDAP
> does not support MSCHAP. This might be incidental to the configuration
> though if EAP negotiates the correct settings..
PEAPv0 vs v1 is not really that important, but the use of EAP-GTC as the
inner method is key if you need plaintext password which seems to be the
> Here are my debug logs after a bit of a clean-up. There were actually two
> connection attempts in the original file, but they appeared to have such
> different content that I split it into two files for clarity. It's possible
> the second attempt is being denied due to 'too many attempts' so possibly
> the first file is the relevant one.
The first file seems to indicate that your driver is trying to use PMKSA
caching and it does not even get into EAP authentication at all.. Which
driver are you using?
The second one does the same in the beginning, but then eventually gets
to actually trying to use EAP. However, the authentication is rejected
immediately after providing the user identity and as such, it does not
really tell much about what could have been failing in the first attempt
(which likely happened before the wpa_supplicant.log.1).
Jouni Malinen PGP id EFC895FA
More information about the HostAP