(RADIATOR) Mac OS X/PEAP Issues - PEAPv0 vs PEAPv1

Tom Rixom tom.rixom at alfa-ariss.com
Fri Mar 5 03:45:23 CST 2004 

Hi Terry,

> -----Original Message-----
> From: Terry Simons [mailto:galimore at mac.com]
> Sent: Wednesday, March 05, 2003 9:31 AM
> To: Radiator
> Subject: (RADIATOR) Mac OS X/PEAP Issues - PEAPv0 vs PEAPv1
> 
> 
> I think I may have finally deciphered the Mac OS X PEAP riddle (but I 
> still think people should use TTLS->PAP 8-)
> 

;)

> After digging a little bit deeper it seems as though Apple may only 
> support PEAPv1->GTC.
> 
> They also support PEAPv0->MD5-Challenge and PEAPv0->MSCHAPv2. 
>  (I have 
> tested both of these... and they work with Radiator).
> 
> Can someone tell me how Windows XP SP1 handles PEAPv1?  Is it 
> actually 
> using something like "PEAPv1 w/MSCHAPv2", or does Windows 
> indicate that 
> it would prefer PEAPv0?
> 

I don't think Windows XP SP1 handled PEAPv1.

This is the IETF draft of Microsofts PEAP version 0.

http://www.ietf.org/internet-drafts/draft-kamath-pppext-peapv0-00.txt

The big difference btw between PEAP v1 an PEAP v0 is that Microsoft
thought it would be quicker if the EAP headers within PEAP were stripped off.. :|

That's why it cannot work... 

> I have submitted a bug to Apple regarding the inability 
> authenticate to 
> Radiator when PEAPv1 is the authentication type... so maybe this will 
> get fixed.  I'll keep the list informed if I get any useful reports 
> back from Apple.
> 
> PEAP is an ugly beast.  :-)
> 

Very true... the funny thing is that I tested the original BETA client of Microsoft,
the one they built to work with Cisco's ACS. It did use PEAP v1 and worked
perfectly with Cisco' ACS. When Windows XP SP1 came out they had changed
the way the inner EAP was sent and was no longer compatible with Cisco...

> Since this question comes up quite a bit, I might as well re-state a 
> common problem with PEAP:
> 
> PEAP requires clear-text or reversibly encrypted passwords on the 
> server side, which is a bit of a security concern.  Without 
> clear-text 
> or reversible passwords, your PEAP authentications will fail.
> 
> Although it has been mentioned before, it can't hurt to re-state that 
> there is a *FREE* TTLS->PAP plugin for Windows 2k SP4/XP 
> (http://www.alfa-ariss.com) that provides TTLS functionality for 
> Windows XP (it ties right into WZC too, and has none of the GINA 
> problems that other supplicants have), and of course Mac OS X Panther 
> supports TTLS->PAP as well... (And for those Linux users, check out 
> http://www.open1x.org)

:)

Tom.

> 
> Terry Simons
> Network and Laptop Support
> Marriott Library, University of Utah
> http://www.laptop.lib.utah.edu
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list