Phase 2 on PEAP and EAP-TTLS
panos at comp.lancs.ac.uk
Thu Nov 18 06:23:43 EST 2010
Thanks for your reply, please see my answers inline.
> On Wed, Nov 17, 2010 at 06:45:11PM -0000, Panagiotis Georgopoulos
> > For EAP-MSCHAPv2 in Phase 2 of EAP-TTLS , I have to declare
> > to wpa_supplicant Phase2="autheap=MSCHAPV2".
> > For PEAP though, if I do :
> > phase1="peaplabel=1"
> Are you sure the authentication server is using the new PEAP label?
> Most servers don't.
Well, I am using FreeRadius 2.1.10 and I see no warnings or errors on the
FR's output regarding label=1 and the authentication finishes successfully.
Shouldn't I have seen an error/warning somewhere in the output?
I am afraid I am unable to find whether the new label is supported on
> > phase2="auth=MSCHAPV2" (notice that it is just auth, and not autheap)
> > will I be doing mschapv2 or eap-mschapv2 on Phase 2?
> Well.. Depends on what you want to call the stuff that PEAP does (it
> may end up removing the EAP headers from Phase 2).. But anyway, it is
> EAP-MSCHAPv2 -based.
Well.. since in theory PEAP is using only EAP based methods in Phase 2, I am
thinking that setting phase2="auth=MSCHAPV2" it would do EAP-MSCHAPv2. Your
characterization as "based" worries me a little...:-D
> > If I am right PEAP supports only EAP methods for Phase 2, so
> > the two above configurations should have exactly the same phase 2,
> EAP-TTLS is the odd one with option for both EAP and non-EAP Phase 2
> methods and as such, need to have different specification for MSCHAPv2
> (without EAP) and EAP-MSCHAPv2. PEAP and EAP-FAST use the auth=<EAP
> method name> selection.
I totally see your point, thus is the reason I think, you consider valid
options both auth=MSCHAPv2 and autheap=MSCHAPv2 for EAP-TTLS in phase2 to
distinguish between plain mschapv2 and eap-mschapv2, right? This is exactly
what I wanted to clarify...
On a similar note, would the EAP-PEAP/MSHAPv2 and EAP-TTLS/EAP-MSCHAPv2 have
exactly the same second phase? In theory, when they both establish a secure
channel in Phase 1 using their respective mechanisms, they should have
identical phase2 based on EAP-MSCHAPv2. Right or wrong?
Thanks a lot,
More information about the HostAP