Phase 2 on PEAP and EAP-TTLS

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Thu Nov 18 06:23:43 EST 2010


Hello Jouni, 

	Thanks for your reply, please see my answers inline. 

> On Wed, Nov 17, 2010 at 06:45:11PM -0000, Panagiotis Georgopoulos
> wrote:
> >  For EAP-MSCHAPv2 in Phase 2 of EAP-TTLS , I have to declare
> >  to wpa_supplicant Phase2="autheap=MSCHAPV2".
> >
> >                 For PEAP though, if I do :
> >               phase1="peaplabel=1"
> 
> Are you sure the authentication server is using the new PEAP label?
> Most servers don't.

Well, I am using FreeRadius 2.1.10 and I see no warnings or errors on the
FR's output regarding label=1 and the authentication finishes successfully.
Shouldn't I have seen an error/warning somewhere in the output?

I am afraid I am unable to find whether the new label is supported on
freeradius' website...

> 
> >   phase2="auth=MSCHAPV2" (notice that it is just auth, and not autheap)
> >   will I be doing mschapv2 or eap-mschapv2 on Phase 2?
> 
> Well.. Depends on what you want to call the stuff that PEAP does (it
> may end up removing the EAP headers from Phase 2).. But anyway, it is
> EAP-MSCHAPv2 -based.

Well.. since in theory PEAP is using only EAP based methods in Phase 2, I am
thinking that setting phase2="auth=MSCHAPV2" it would do EAP-MSCHAPv2. Your
characterization as "based" worries me a little...:-D

> 
> >  If I am right PEAP supports only EAP methods for Phase 2, so
> > the two above configurations should have exactly the same phase 2,
right?
> 
> EAP-TTLS is the odd one with option for both EAP and non-EAP Phase 2
> methods and as such, need to have different specification for MSCHAPv2
> (without EAP) and EAP-MSCHAPv2. PEAP and EAP-FAST use the auth=<EAP
> method name> selection.

I totally see your point, thus is the reason I think, you consider valid
options both auth=MSCHAPv2 and autheap=MSCHAPv2 for EAP-TTLS in phase2 to
distinguish between plain mschapv2 and eap-mschapv2, right? This is exactly
what I wanted to clarify...

On a similar note, would the EAP-PEAP/MSHAPv2 and EAP-TTLS/EAP-MSCHAPv2 have
exactly the same second phase? In theory, when they both establish a secure
channel in Phase 1 using their respective mechanisms, they should have
identical phase2 based on EAP-MSCHAPv2. Right or wrong?

Thanks a lot,
Panos
 





More information about the HostAP mailing list