WPA+EAP-PEAP+MSCHAPv2 Problem

[Greg Baker]

Thanks for your reply, Jouni..

On February 9, 2005 11:45 pm, Jouni Malinen wrote:
> On Wed, Feb 09, 2005 at 03:23:05PM -0330, Greg Baker wrote:
> > I'm trying to connect to the wireless network at my school and am having
> > problems.  It connects fine in Windows, but not Linux.
>
> Do you have any idea what authentication server is used in this network?
> If it is CiscoACS, please try the 0.3.7-pre version of wpa_supplicant
> from http://hostap.epitest.fi/releases/testing/ and add
> include_tls_length=1 into the phase1 configuration variable in the
> network block.
>

I don't, but can call the network admin and find out.  I will ask him today 
and get back to you.

> [snip]
>
> > network={
> >         ssid="stu"
> >         scan_ssid=1
> >         key_mgmt=WPA-EAP
> >         eap=PEAP
> >         pairwise=TKIP
> >         group=TKIP
> >         identity="gbaker"
> >         password="........."
> >         phase1="peapver=1 peaplabel=1"
> >         phase2="auth=MSCHAPV2"
> > }
>
> If this is indeed CiscoACS, it may also not like MSCHAPV2 in Phase 2 (at
> least when using PEAPv1), so you may also need to change that phase2
> auth option to select GTC.

Hmm..  I can only go by what the windows setup looks like, and that uses 
MSCHAPv2.  If I do select GTC, will that work with an AP that does MSCHAP?

>
> > One thing I'm not sure about, do I need to have a certificate defined? 
> > The APs here provide the certificate, and they are not validated.
>
> If you care about security, yes, you really do need to get the correct
> CA certificate and validate the server certificate. Without this, the
> connection is open for man-in-the-middle attack.

I understand the security part..  Unfortunately, our network at school is 
configured with an unofficial certificate.  So, I simply cannot verify it.  
What I meant was, will wpa_supplicant actually work without verifying the 
certificate.

Thanks for all your help, Jouni.