(RADIATOR) Mac OS X/PEAP Issues - PEAPv0 vs PEAPv1

[Terry Simons]

I think I may have finally deciphered the Mac OS X PEAP riddle (but I 
still think people should use TTLS->PAP 8-)

After digging a little bit deeper it seems as though Apple may only 
support PEAPv1->GTC.

They also support PEAPv0->MD5-Challenge and PEAPv0->MSCHAPv2.  (I have 
tested both of these... and they work with Radiator).

Can someone tell me how Windows XP SP1 handles PEAPv1?  Is it actually 
using something like "PEAPv1 w/MSCHAPv2", or does Windows indicate that 
it would prefer PEAPv0?

I have submitted a bug to Apple regarding the inability authenticate to 
Radiator when PEAPv1 is the authentication type... so maybe this will 
get fixed.  I'll keep the list informed if I get any useful reports 
back from Apple.

PEAP is an ugly beast.  :-)

Since this question comes up quite a bit, I might as well re-state a 
common problem with PEAP:

PEAP requires clear-text or reversibly encrypted passwords on the 
server side, which is a bit of a security concern.  Without clear-text 
or reversible passwords, your PEAP authentications will fail.

Although it has been mentioned before, it can't hurt to re-state that 
there is a *FREE* TTLS->PAP plugin for Windows 2k SP4/XP 
(http://www.alfa-ariss.com) that provides TTLS functionality for 
Windows XP (it ties right into WZC too, and has none of the GINA 
problems that other supplicants have), and of course Mac OS X Panther 
supports TTLS->PAP as well... (And for those Linux users, check out 
http://www.open1x.org)

Terry Simons
Network and Laptop Support
Marriott Library, University of Utah
http://www.laptop.lib.utah.edu

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.