Phase 2 on PEAP and EAP-TTLS

Jouni Malinen j at w1.fi
Wed Nov 17 15:11:33 EST 2010


On Wed, Nov 17, 2010 at 06:45:11PM -0000, Panagiotis Georgopoulos wrote:
>                 For EAP-MSCHAPv2 in Phase 2 of EAP-TTLS , I have to declare
> to wpa_supplicant Phase2="autheap=MSCHAPV2".


>                 For PEAP though, if I do : 
>               phase1="peaplabel=1"

Are you sure the authentication server is using the new PEAP label? Most
servers don't.

>               phase2="auth=MSCHAPV2" (notice that it is just auth, and not
> autheap)

>                 will I be doing mschapv2 or eap-mschapv2 on Phase 2?

Well.. Depends on what you want to call the stuff that PEAP does (it may
end up removing the EAP headers from Phase 2).. But anyway, it is
EAP-MSCHAPv2 -based.

>                 If I am right PEAP supports only EAP methods for Phase 2, so
> the two above configurations should have exactly the same phase 2, right?

EAP-TTLS is the odd one with option for both EAP and non-EAP Phase 2
methods and as such, need to have different specification for MSCHAPv2
(without EAP) and EAP-MSCHAPv2. PEAP and EAP-FAST use the auth=<EAP
method name> selection.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list