Config for WPA Peap and MSchap v2 and Radius auth

Bryan Kadzban bryan
Mon Jan 9 15:24:39 PST 2006


Kevin Everts wrote:
> The AP at work is using WPA with
> TKIP, EAP/LEAP for radius authentication (windows 2000 domain authentication
> to a windows 2000 radius server).

LEAP (the Cisco proprietary, brute-force-able protocol) or PEAP (the
tunnel protocol, usually with MSCHAPv2 underneath)?  AFAIK the Windows
RADIUS server doesn't support LEAP.  But it does support PEAP/MSCHAPv2,
so I'm guessing that's what you meant.

> Here is my config for the AP (from /etc/wpa_supplicant.conf)
> 
> network={
>     ssid="CE"
>     key_mgmt=IEEE8021X
>     eap=PEAP
>     phase2="auth=MSCHAPV2"
> }

That should be:

key_mgmt=WPA-EAP

since IEEE8021X is for dynamic WEP.  WPA-EAP is for either WPA or WPA2
(not *-PSK though; see the sample config file for the documentation).

You will probably also need:

pairwise=TKIP
group=TKIP
proto=WPA

These may be the defaults, but it's always a good idea to be explicit.

You will also need to set identity="yourusername", and configure your
password.  If this is a Windows box, and your company is doing machine
authentication, then there's no way I know of to use the machine's
domain credentials, but hopefully that's not an issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20060109/1eb27bab/attachment.pgp 



More information about the Hostap mailing list