139beb93cSSam LefflerAutomatic regression and interoperability testing of wpa_supplicant's 239beb93cSSam LefflerIEEE 802.1X/EAPOL authentication 339beb93cSSam Leffler 439beb93cSSam LefflerTest program: 539beb93cSSam Leffler- Linked some parts of IEEE 802.1X Authenticator implementation from 639beb93cSSam Leffler hostapd (RADIUS client and RADIUS processing, EAP<->RADIUS 739beb93cSSam Leffler encapsulation/decapsulation) into wpa_supplicant. 839beb93cSSam Leffler- Replaced wpa_supplicant.c and wpa.c with test code that trigger 939beb93cSSam Leffler IEEE 802.1X authentication automatically without need for wireless 1039beb93cSSam Leffler client card or AP. 1139beb93cSSam Leffler- For EAP methods that generate keying material, the key derived by the 1239beb93cSSam Leffler Supplicant is verified to match with the one received by the (now 1339beb93cSSam Leffler integrated) Authenticator. 1439beb93cSSam Leffler 1539beb93cSSam LefflerThe full automated test suite can now be run in couple of seconds, but 1639beb93cSSam LefflerI'm more than willing to add new RADIUS authentication servers to make 1739beb93cSSam Lefflerthis take a bit more time.. ;-) As an extra bonus, this can also be 1839beb93cSSam Lefflerseen as automatic regression/interoperability testing for the RADIUS 1939beb93cSSam Lefflerserver, too. 2039beb93cSSam Leffler 2139beb93cSSam LefflerIn order for me to be able to use a new authentication server, the 2239beb93cSSam Lefflerserver need to be available from Internet (at least from one static IP 2339beb93cSSam Leffleraddress) and I will need to get suitable user name/password pairs, 2439beb93cSSam Lefflercertificates, and private keys for testing use. Other alternative 2539beb93cSSam Lefflerwould be to get an evaluation version of the server so that I can 2639beb93cSSam Lefflerinstall it on my own test setup. If you are interested in providing 2739beb93cSSam Lefflereither server access or evaluation version, please contact me 2839beb93cSSam Leffler(j@w1.fi). 2939beb93cSSam Leffler 3039beb93cSSam Leffler 3139beb93cSSam LefflerTest matrix 3239beb93cSSam Leffler 3339beb93cSSam Leffler+) tested successfully 3439beb93cSSam LefflerF) failed 3539beb93cSSam Leffler-) server did not support 3639beb93cSSam Leffler?) not tested 3739beb93cSSam Leffler 3839beb93cSSam LefflerCisco ACS ----------------------------------------------------------. 3939beb93cSSam Lefflerhostapd --------------------------------------------------------. | 4039beb93cSSam LefflerCisco Aironet 1200 AP (local RADIUS server) ----------------. | | 4139beb93cSSam LefflerPeriodik Labs Elektron ---------------------------------. | | | 4239beb93cSSam LefflerLucent NavisRadius ---------------------------------. | | | | 4339beb93cSSam LefflerInterlink RAD-Series ---------------------------. | | | | | 4439beb93cSSam LefflerRadiator -----------------------------------. | | | | | | 4539beb93cSSam LefflerMeetinghouse Aegis ---------------------. | | | | | | | 4639beb93cSSam LefflerFunk Steel-Belted ------------------. | | | | | | | | 4739beb93cSSam LefflerFunk Odyssey -------------------. | | | | | | | | | 4839beb93cSSam LefflerMicrosoft IAS --------------. | | | | | | | | | | 4939beb93cSSam LefflerFreeRADIUS -------------. | | | | | | | | | | | 5039beb93cSSam Leffler | | | | | | | | | | | | 5139beb93cSSam Leffler 5239beb93cSSam LefflerEAP-MD5 + - - + + + + + - - + + 5339beb93cSSam LefflerEAP-GTC + - - ? + + + + - - + - 5439beb93cSSam LefflerEAP-OTP - - - - - + - - - - - - 5539beb93cSSam LefflerEAP-MSCHAPv2 + - - + + + + + - - + - 5639beb93cSSam LefflerEAP-TLS + + + + + + + + - - + + 5739beb93cSSam LefflerEAP-PEAPv0/MSCHAPv2 + + + + + + + + + - + + 5839beb93cSSam LefflerEAP-PEAPv0/GTC + - + - + + + + - - + + 5939beb93cSSam LefflerEAP-PEAPv0/OTP - - - - - + - - - - - - 6039beb93cSSam LefflerEAP-PEAPv0/MD5 + - - + + + + + - - + - 6139beb93cSSam LefflerEAP-PEAPv0/TLS + + - + + + F + - - + + 6239beb93cSSam LefflerEAP-PEAPv0/SIM - - - - - - - - - - + - 6339beb93cSSam LefflerEAP-PEAPv0/AKA - - - - - - - - - - + - 6439beb93cSSam LefflerEAP-PEAPv0/PSK - - - - - - - - - - + - 6539beb93cSSam LefflerEAP-PEAPv0/PAX - - - - - - - - - - + - 6639beb93cSSam LefflerEAP-PEAPv0/SAKE - - - - - - - - - - + - 6739beb93cSSam LefflerEAP-PEAPv0/GPSK - - - - - - - - - - + - 6839beb93cSSam LefflerEAP-PEAPv1/MSCHAPv2 - - + + + +1 + +5 +8 - + + 6939beb93cSSam LefflerEAP-PEAPv1/GTC - - + + + +1 + +5 +8 - + + 7039beb93cSSam LefflerEAP-PEAPv1/OTP - - - - - +1 - - - - - - 7139beb93cSSam LefflerEAP-PEAPv1/MD5 - - - + + +1 + +5 - - + - 7239beb93cSSam LefflerEAP-PEAPv1/TLS - - - + + +1 F +5 - - + + 7339beb93cSSam LefflerEAP-PEAPv1/SIM - - - - - - - - - - + - 7439beb93cSSam LefflerEAP-PEAPv1/AKA - - - - - - - - - - + - 7539beb93cSSam LefflerEAP-PEAPv1/PSK - - - - - - - - - - + - 7639beb93cSSam LefflerEAP-PEAPv1/PAX - - - - - - - - - - + - 7739beb93cSSam LefflerEAP-PEAPv1/SAKE - - - - - - - - - - + - 7839beb93cSSam LefflerEAP-PEAPv1/GPSK - - - - - - - - - - + - 7939beb93cSSam LefflerEAP-TTLS/CHAP + - +2 + + + + + + - + - 8039beb93cSSam LefflerEAP-TTLS/MSCHAP + - + + + + + + + - + - 8139beb93cSSam LefflerEAP-TTLS/MSCHAPv2 + - + + + + + + + - + - 8239beb93cSSam LefflerEAP-TTLS/PAP + - + + + + + + + - + - 8339beb93cSSam LefflerEAP-TTLS/EAP-MD5 + - +2 + + + + + + - + - 8439beb93cSSam LefflerEAP-TTLS/EAP-GTC + - +2 ? + + + + - - + - 8539beb93cSSam LefflerEAP-TTLS/EAP-OTP - - - - - + - - - - - - 8639beb93cSSam LefflerEAP-TTLS/EAP-MSCHAPv2 + - +2 + + + + + + - + - 8739beb93cSSam LefflerEAP-TTLS/EAP-TLS + - +2 + F + + + - - + - 8839beb93cSSam LefflerEAP-TTLS/EAP-SIM - - - - - - - - - - + - 8939beb93cSSam LefflerEAP-TTLS/EAP-AKA - - - - - - - - - - + - 9039beb93cSSam LefflerEAP-TTLS/EAP-PSK - - - - - - - - - - + - 9139beb93cSSam LefflerEAP-TTLS/EAP-PAX - - - - - - - - - - + - 9239beb93cSSam LefflerEAP-TTLS/EAP-SAKE - - - - - - - - - - + - 9339beb93cSSam LefflerEAP-TTLS/EAP-GPSK - - - - - - - - - - + - 9439beb93cSSam LefflerEAP-TTLS + TNC - - - - - + - - - - + - 9539beb93cSSam LefflerEAP-SIM + - - ? - + - ? - - + - 9639beb93cSSam LefflerEAP-AKA - - - - - + - - - - + - 9739beb93cSSam LefflerEAP-AKA' - - - - - - - - - - + - 9839beb93cSSam LefflerEAP-PSK +7 - - - - + - - - - + - 9939beb93cSSam LefflerEAP-PAX - - - - - + - - - - + - 10039beb93cSSam LefflerEAP-SAKE - - - - - - - - - - + - 10139beb93cSSam LefflerEAP-GPSK - - - - - - - - - - + - 10239beb93cSSam LefflerEAP-FAST/MSCHAPv2(prov) - - - + - + - - - + + + 10339beb93cSSam LefflerEAP-FAST/GTC(auth) - - - + - + - - - + + + 10439beb93cSSam LefflerEAP-FAST/MSCHAPv2(aprov)- - - - - + - - - - + + 10539beb93cSSam LefflerEAP-FAST/GTC(aprov) - - - - - + - - - - + + 10639beb93cSSam LefflerEAP-FAST/MD5(aprov) - - - - - + - - - - + - 10739beb93cSSam LefflerEAP-FAST/TLS(aprov) - - - - - - - - - - + + 10839beb93cSSam LefflerEAP-FAST/SIM(aprov) - - - - - - - - - - + - 10939beb93cSSam LefflerEAP-FAST/AKA(aprov) - - - - - - - - - - + - 11039beb93cSSam LefflerEAP-FAST/MSCHAPv2(auth) - - - - - + - - - - + + 11139beb93cSSam LefflerEAP-FAST/MD5(auth) - - - - - + - - - - + - 11239beb93cSSam LefflerEAP-FAST/TLS(auth) - - - - - - - - - - + + 11339beb93cSSam LefflerEAP-FAST/SIM(auth) - - - - - - - - - - + - 11439beb93cSSam LefflerEAP-FAST/AKA(auth) - - - - - - - - - - + - 11539beb93cSSam LefflerEAP-FAST + TNC - - - - - - - - - - + - 11639beb93cSSam LefflerLEAP + - + + + + F +6 - + - + 11739beb93cSSam LefflerEAP-TNC +9 - - - - + - - - - + - 11839beb93cSSam LefflerEAP-IKEv2 +10 - - - - - - - - - + - 11939beb93cSSam Leffler 12039beb93cSSam Leffler1) PEAPv1 required new label, "client PEAP encryption" instead of "client EAP 12139beb93cSSam Leffler encryption", during key derivation (requires phase1="peaplabel=1" in the 12239beb93cSSam Leffler network configuration in wpa_supplicant.conf) 12339beb93cSSam Leffler2) used FreeRADIUS as inner auth server 12439beb93cSSam Leffler5) PEAPv1 required termination of negotiation on tunneled EAP-Success and new 12539beb93cSSam Leffler label in key deriviation 12639beb93cSSam Leffler (phase1="peap_outer_success=0 peaplabel=1") (in "IETF Draft 5" mode) 12739beb93cSSam Leffler6) Authenticator simulator required patching for handling Access-Accept within 12839beb93cSSam Leffler negotiation (for the first EAP-Success of LEAP) 12939beb93cSSam Leffler7) tested only with an older (incompatible) draft of EAP-PSK; FreeRADIUS does 13039beb93cSSam Leffler not support the current EAP-PSK (RFC) specification 13139beb93cSSam Leffler8) PEAPv1 used non-standard version negotiation (client had to force v1 even 13239beb93cSSam Leffler though server reported v0 as the highest supported version) 13339beb93cSSam Leffler9) only EAP-TTLS/EAP-TNC tested, i.e., test did not include proper sequence of 13439beb93cSSam Leffler client authentication followed by TNC inside the tunnel 13539beb93cSSam Leffler10) worked only with special compatibility code to match the IKEv2 server 13639beb93cSSam Leffler implementation 13739beb93cSSam Leffler 13839beb93cSSam Leffler 13939beb93cSSam LefflerAutomated tests: 14039beb93cSSam Leffler 14139beb93cSSam LefflerFreeRADIUS (2.0-beta/CVS snapshot) 14239beb93cSSam Leffler- EAP-MD5-Challenge 14339beb93cSSam Leffler- EAP-GTC 14439beb93cSSam Leffler- EAP-MSCHAPv2 14539beb93cSSam Leffler- EAP-TLS 14639beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 14739beb93cSSam Leffler- EAP-PEAPv0 / GTC 14839beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 14939beb93cSSam Leffler- EAP-PEAPv0 / TLS 15039beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 15139beb93cSSam Leffler- EAP-TTLS / EAP-GTC 15239beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 15339beb93cSSam Leffler- EAP-TTLS / EAP-TLS 15439beb93cSSam Leffler- EAP-TTLS / CHAP 15539beb93cSSam Leffler- EAP-TTLS / PAP 15639beb93cSSam Leffler- EAP-TTLS / MSCHAP 15739beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 15839beb93cSSam Leffler- EAP-TTLS / EAP-TNC (partial support; no authentication sequence) 15939beb93cSSam Leffler- EAP-SIM 16039beb93cSSam Leffler- LEAP 16139beb93cSSam Leffler 16239beb93cSSam LefflerMicrosoft Windows Server 2003 / IAS 16339beb93cSSam Leffler- EAP-TLS 16439beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 16539beb93cSSam Leffler- EAP-PEAPv0 / TLS 16639beb93cSSam Leffler- EAP-MD5 16739beb93cSSam Leffler* IAS does not seem to support other EAP methods 16839beb93cSSam Leffler 16939beb93cSSam LefflerFunk Odyssey 2.01.00.653 17039beb93cSSam Leffler- EAP-TLS 17139beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 17239beb93cSSam Leffler- EAP-PEAPv0 / GTC 17339beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 17439beb93cSSam Leffler- EAP-PEAPv1 / GTC 17539beb93cSSam Leffler Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" 17639beb93cSSam Leffler- EAP-TTLS / CHAP (using FreeRADIUS as inner auth srv) 17739beb93cSSam Leffler- EAP-TTLS / MSCHAP 17839beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 17939beb93cSSam Leffler- EAP-TTLS / PAP 18039beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge (using FreeRADIUS as inner auth srv) 18139beb93cSSam Leffler- EAP-TTLS / EAP-GTC (using FreeRADIUS as inner auth srv) 18239beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 (using FreeRADIUS as inner auth srv) 18339beb93cSSam Leffler- EAP-TTLS / EAP-TLS (using FreeRADIUS as inner auth srv) 18439beb93cSSam Leffler* not supported in Odyssey: 18539beb93cSSam Leffler - EAP-MD5-Challenge 18639beb93cSSam Leffler - EAP-GTC 18739beb93cSSam Leffler - EAP-MSCHAPv2 18839beb93cSSam Leffler - EAP-PEAP / MD5-Challenge 18939beb93cSSam Leffler - EAP-PEAP / TLS 19039beb93cSSam Leffler 19139beb93cSSam LefflerFunk Steel-Belted Radius Enterprise Edition v4.71.739 19239beb93cSSam Leffler- EAP-MD5-Challenge 19339beb93cSSam Leffler- EAP-MSCHAPv2 19439beb93cSSam Leffler- EAP-TLS 19539beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 19639beb93cSSam Leffler- EAP-PEAPv0 / MD5 19739beb93cSSam Leffler- EAP-PEAPv0 / TLS 19839beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 19939beb93cSSam Leffler- EAP-PEAPv1 / MD5 20039beb93cSSam Leffler- EAP-PEAPv1 / GTC 20139beb93cSSam Leffler- EAP-PEAPv1 / TLS 20239beb93cSSam Leffler Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" 20339beb93cSSam Leffler- EAP-TTLS / CHAP 20439beb93cSSam Leffler- EAP-TTLS / MSCHAP 20539beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 20639beb93cSSam Leffler- EAP-TTLS / PAP 20739beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 20839beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 20939beb93cSSam Leffler- EAP-TTLS / EAP-TLS 21039beb93cSSam Leffler 21139beb93cSSam LefflerMeetinghouse Aegis 1.1.4 21239beb93cSSam Leffler- EAP-MD5-Challenge 21339beb93cSSam Leffler- EAP-GTC 21439beb93cSSam Leffler- EAP-MSCHAPv2 21539beb93cSSam Leffler- EAP-TLS 21639beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 21739beb93cSSam Leffler- EAP-PEAPv0 / TLS 21839beb93cSSam Leffler- EAP-PEAPv0 / GTC 21939beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 22039beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 22139beb93cSSam Leffler- EAP-PEAPv1 / TLS 22239beb93cSSam Leffler- EAP-PEAPv1 / GTC 22339beb93cSSam Leffler- EAP-PEAPv1 / MD5-Challenge 22439beb93cSSam Leffler Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" 22539beb93cSSam Leffler- EAP-TTLS / CHAP 22639beb93cSSam Leffler- EAP-TTLS / MSCHAP 22739beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 22839beb93cSSam Leffler- EAP-TTLS / PAP 22939beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 23039beb93cSSam Leffler- EAP-TTLS / EAP-GTC 23139beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 23239beb93cSSam Leffler* did not work 23339beb93cSSam Leffler - EAP-TTLS / EAP-TLS 23439beb93cSSam Leffler (Server rejects authentication without any reason in debug log. It 23539beb93cSSam Leffler looks like the inner TLS negotiation starts properly and the last 23639beb93cSSam Leffler packet from Supplicant looks like the one sent in the Phase 1. The 23739beb93cSSam Leffler server generates a valid looking reply in the same way as in Phase 23839beb93cSSam Leffler 1, but then ends up sending Access-Reject. Maybe an issue with TTLS 23939beb93cSSam Leffler fragmentation in the Aegis server(?) The packet seems to include 24039beb93cSSam Leffler 1328 bytes of EAP-Message and this may go beyond the fragmentation 24139beb93cSSam Leffler limit with AVP encapsulation and TLS tunneling. Note: EAP-PEAP/TLS 24239beb93cSSam Leffler did work, so this issue seems to be with something TTLS specific.) 24339beb93cSSam Leffler 24439beb93cSSam LefflerRadiator 3.17.1 (eval, with all patches up to and including 2007-05-25) 24539beb93cSSam Leffler- EAP-MD5-Challenge 24639beb93cSSam Leffler- EAP-GTC 24739beb93cSSam Leffler- EAP-OTP 24839beb93cSSam Leffler- EAP-MSCHAPv2 24939beb93cSSam Leffler- EAP-TLS 25039beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 25139beb93cSSam Leffler- EAP-PEAPv0 / GTC 25239beb93cSSam Leffler- EAP-PEAPv0 / OTP 25339beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 25439beb93cSSam Leffler- EAP-PEAPv0 / TLS 25539beb93cSSam Leffler Note: Needed to use unknown identity in outer auth and some times the server 25639beb93cSSam Leffler seems to get confused and fails to send proper Phase 2 data. 25739beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 25839beb93cSSam Leffler- EAP-PEAPv1 / GTC 25939beb93cSSam Leffler- EAP-PEAPv1 / OTP 26039beb93cSSam Leffler- EAP-PEAPv1 / MD5-Challenge 26139beb93cSSam Leffler- EAP-PEAPv1 / TLS 26239beb93cSSam Leffler Note: This has some additional requirements for EAPTLS_MaxFragmentSize. 26339beb93cSSam Leffler Using 1300 for outer auth and 500 for inner auth seemed to work. 26439beb93cSSam Leffler Note: Needed to use unknown identity in outer auth and some times the server 26539beb93cSSam Leffler seems to get confused and fails to send proper Phase 2 data. 26639beb93cSSam Leffler- EAP-TTLS / CHAP 26739beb93cSSam Leffler- EAP-TTLS / MSCHAP 26839beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 26939beb93cSSam Leffler- EAP-TTLS / PAP 27039beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 27139beb93cSSam Leffler- EAP-TTLS / EAP-GTC 27239beb93cSSam Leffler- EAP-TTLS / EAP-OTP 27339beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 27439beb93cSSam Leffler- EAP-TTLS / EAP-TLS 27539beb93cSSam Leffler Note: This has some additional requirements for EAPTLS_MaxFragmentSize. 27639beb93cSSam Leffler Using 1300 for outer auth and 500 for inner auth seemed to work. 27739beb93cSSam Leffler- EAP-SIM 27839beb93cSSam Leffler- EAP-AKA 27939beb93cSSam Leffler- EAP-PSK 28039beb93cSSam Leffler- EAP-PAX 28139beb93cSSam Leffler- EAP-TNC 28239beb93cSSam Leffler 28339beb93cSSam LefflerInterlink Networks RAD-Series 6.1.2.7 28439beb93cSSam Leffler- EAP-MD5-Challenge 28539beb93cSSam Leffler- EAP-GTC 28639beb93cSSam Leffler- EAP-MSCHAPv2 28739beb93cSSam Leffler- EAP-TLS 28839beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 28939beb93cSSam Leffler- EAP-PEAPv0 / GTC 29039beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 29139beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 29239beb93cSSam Leffler- EAP-PEAPv1 / GTC 29339beb93cSSam Leffler- EAP-PEAPv1 / MD5-Challenge 29439beb93cSSam Leffler Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" 29539beb93cSSam Leffler- EAP-TTLS / CHAP 29639beb93cSSam Leffler- EAP-TTLS / MSCHAP 29739beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 29839beb93cSSam Leffler- EAP-TTLS / PAP 29939beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 30039beb93cSSam Leffler- EAP-TTLS / EAP-GTC 30139beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 30239beb93cSSam Leffler- EAP-TTLS / EAP-TLS 30339beb93cSSam Leffler* did not work 30439beb93cSSam Leffler - EAP-PEAPv0 / TLS 30539beb93cSSam Leffler - EAP-PEAPv1 / TLS 30639beb93cSSam Leffler (Failed to decrypt Phase 2 data) 30739beb93cSSam Leffler 30839beb93cSSam LefflerLucent NavisRadius 4.4.0 30939beb93cSSam Leffler- EAP-MD5-Challenge 31039beb93cSSam Leffler- EAP-GTC 31139beb93cSSam Leffler- EAP-MSCHAPv2 31239beb93cSSam Leffler- EAP-TLS 31339beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 31439beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 31539beb93cSSam Leffler- EAP-PEAPv0 / GTC 31639beb93cSSam Leffler- EAP-PEAPv0 / TLS 31739beb93cSSam Leffler- EAP-PEAPv1 / MD5-Challenge 31839beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 31939beb93cSSam Leffler- EAP-PEAPv1 / GTC 32039beb93cSSam Leffler- EAP-PEAPv1 / TLS 32139beb93cSSam Leffler "IETF Draft 5" mode requires phase1="peap_outer_success=0 peaplabel=1" 32239beb93cSSam Leffler 'Cisco ACU 5.05' mode works without phase1 configuration 32339beb93cSSam Leffler- EAP-TTLS / CHAP 32439beb93cSSam Leffler- EAP-TTLS / MSCHAP 32539beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 32639beb93cSSam Leffler- EAP-TTLS / PAP 32739beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 32839beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 32939beb93cSSam Leffler- EAP-TTLS / EAP-GTC 33039beb93cSSam Leffler- EAP-TTLS / EAP-TLS 33139beb93cSSam Leffler 33239beb93cSSam LefflerNote: user certificate from NavisRadius had private key in a format 33339beb93cSSam Lefflerthat wpa_supplicant could not use. Converting this to PKCS#12 and then 33439beb93cSSam Lefflerback to PEM allowed wpa_supplicant to use the key. 33539beb93cSSam Leffler 33639beb93cSSam Leffler 33739beb93cSSam Lefflerhostapd v0.3.3 33839beb93cSSam Leffler- EAP-MD5-Challenge 33939beb93cSSam Leffler- EAP-GTC 34039beb93cSSam Leffler- EAP-MSCHAPv2 34139beb93cSSam Leffler- EAP-TLS 34239beb93cSSam Leffler- EAP-PEAPv0 / MSCHAPv2 34339beb93cSSam Leffler- EAP-PEAPv0 / GTC 34439beb93cSSam Leffler- EAP-PEAPv0 / MD5-Challenge 34539beb93cSSam Leffler- EAP-PEAPv1 / MSCHAPv2 34639beb93cSSam Leffler- EAP-PEAPv1 / GTC 34739beb93cSSam Leffler- EAP-PEAPv1 / MD5-Challenge 34839beb93cSSam Leffler- EAP-TTLS / CHAP 34939beb93cSSam Leffler- EAP-TTLS / MSCHAP 35039beb93cSSam Leffler- EAP-TTLS / MSCHAPv2 35139beb93cSSam Leffler- EAP-TTLS / PAP 35239beb93cSSam Leffler- EAP-TTLS / EAP-MD5-Challenge 35339beb93cSSam Leffler- EAP-TTLS / EAP-GTC 35439beb93cSSam Leffler- EAP-TTLS / EAP-MSCHAPv2 35539beb93cSSam Leffler- EAP-SIM 35639beb93cSSam Leffler- EAP-PAX 35739beb93cSSam Leffler 35839beb93cSSam LefflerPEAPv1: 35939beb93cSSam Leffler 36039beb93cSSam LefflerFunk Odyssey 2.01.00.653: 36139beb93cSSam Leffler- uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE 36239beb93cSSam Leffler keys with outer EAP-Success message after this 36339beb93cSSam Leffler- uses label "client EAP encryption" 36439beb93cSSam Leffler- (peap_outer_success 1 and 2 work) 36539beb93cSSam Leffler 36639beb93cSSam LefflerFunk Steel-Belted Radius Enterprise Edition v4.71.739 36739beb93cSSam Leffler- uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE 36839beb93cSSam Leffler keys with outer EAP-Success message after this 36939beb93cSSam Leffler- uses label "client EAP encryption" 37039beb93cSSam Leffler- (peap_outer_success 1 and 2 work) 37139beb93cSSam Leffler 37239beb93cSSam LefflerRadiator 3.9: 37339beb93cSSam Leffler- uses TLV Success and Reply, sends MPPE keys with outer EAP-Success message 37439beb93cSSam Leffler after this 37539beb93cSSam Leffler- uses label "client PEAP encryption" 37639beb93cSSam Leffler 37739beb93cSSam LefflerLucent NavisRadius 4.4.0 (in "IETF Draft 5" mode): 37839beb93cSSam Leffler- sends tunneled EAP-Success with MPPE keys and expects the authentication to 37939beb93cSSam Leffler terminate at this point (gets somewhat confused with reply to this) 38039beb93cSSam Leffler- uses label "client PEAP encryption" 38139beb93cSSam Leffler- phase1="peap_outer_success=0 peaplabel=1" 38239beb93cSSam Leffler 38339beb93cSSam LefflerLucent NavisRadius 4.4.0 (in "Cisco ACU 5.05" mode): 38439beb93cSSam Leffler- sends tunneled EAP-Success with MPPE keys and expects to receive TLS ACK 38539beb93cSSam Leffler as a reply 38639beb93cSSam Leffler- uses label "client EAP encryption" 38739beb93cSSam Leffler 38839beb93cSSam LefflerMeetinghouse Aegis 1.1.4 38939beb93cSSam Leffler- uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE 39039beb93cSSam Leffler keys with outer EAP-Success message after this 39139beb93cSSam Leffler- uses label "client EAP encryption" 39239beb93cSSam Leffler- peap_outer_success 1 and 2 work 393