Re: Dynamic WEP support.

On wo, 2006-03-22 at 15:34 -0500, Robert Love wrote:
> > EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
> > EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
> > EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
> > EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
> > EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
> > EAP-TTLS/EAP-MD5-Challenge
> Yah, I've seen this.  It doesn't really answer the question, although
> it is a start.
> What we have is
>         EAP-PEAP (supported now), plus the following 2nd stages:
>         MCCHAPv2, TLS, GTC, OTP, MD5-Challenge
>         EAP-TTLS (supported now), plus the following 2nd stages:
> So I have two questions: what are the EAP versions of the 2nd
> authentications?  E.g., what is "EAP-TTLS/EAP-MSCHAPv2" and how does
> it differ from "EAP-TTLS/MSCHAPv2" ?

As I understand it:

* WPA and WEP are two types of keys - WPA being a little more secure
* WPA-PSK (this is a wpa_supplicant term) is roughly the equivalent of 
  WEP with a preshared key.

What NM calls WPA2 Enterprise is actually WPA-EAP (this is a
wpa_supplicant term) - using EAP (extensible authentication protocol)
for dynamic WPA keys.

The key_mgmt type 802.1X (in wpa_supplicant) is the equivalent
authentication mechanismd for dynamic WEP keys.

There are several EAP methods implemented in wpa_supplicant:


EAP-MD5 is insecure and can only be used as phase 2 method for EAP-PEAP
or EAP-TTLS, same goes for EAP-MSCHAPV2. EAP TLS requires a client and
server certificate. EAP-TTLS is an anonymous TLS tunnel wherein an extra
EAP/PAP/CHAP/MSCHAP/MSCHAPV2 authentication takes place. EAP-PEAP is a
tunneled EAP with anonymous outer layer (similar to EAP-TTLS).

I hope this answers your question. This is all quite cleary documented
in the default config file of wpa_supplicant (stupid place to document
things though)

> And my second question is, for each of the above, I need a human
> readable name (pretty easy to figure out) and the string that
> wpa_supplicant expects.

If wpa_supplicant requires the same strings in the control channel as it
does in the configuration, then the exhaustive list of strings can be
found there.

Dennis K.
 - Linux for human beings -
 - Linux voor normale mensen -

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]