[RADIATOR] eap + apple products - failed auth

Heikki Vatiainen hvn at open.com.au
Wed Feb 29 15:48:17 CST 2012


On 02/28/2012 09:58 PM, Alan Buxey wrote:

> PEAPv0 is the standard method that everyone uses that was created by RSA/Microsoft/Cisco
> (I think Intel had some say as well...but cant recall)
> 
> its the usual one in almost all clients when you choose 'PEAP'
> 
> Cisco went ahead to 'fix' things and, using GTC as the inner method helped
> push for the adoption of PEAPv1 (probably because of the LEAP issues....)
> 
> the 2 are different beasts and almost everyone will only ever need
> PEAPv0 - PEAPv1 is a very rare beast..rarer than PEAPv2 ;-)
> 
> if you really want to know the differences the RFCs are free to read...
> some people spend their evenings reading such things...i personally
> dont find them that thrilling ;-)

Good summary about the different versions. I think part of the problem
is there is no PEAP RFC. There are a number of internet-drafts, but none
made it to RFC. For example:

http://tools.ietf.org/html/draft-kamath-pppext-peapv0-00

and these 10 drafts that go up to version 2:

http://tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap


Microsoft seems to maintain PEAP these days:
http://msdn.microsoft.com/en-us/library/cc238354%28v=prot.13%29.aspx

This PEAP document is frequently updated and has text about version
negotiation but uses 0 for its own version.

In summary: there are multiple documents with different versions, but
version 0 seems to work the best among all implementations. Especially
Macs do not like version 1.

Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list