Check for identifier in EAP-PEAP phase-2

Jouni Malinen j
Fri Sep 24 23:13:35 PDT 2010

On Sat, Sep 25, 2010 at 12:19:01AM +0530, paul peterson wrote:

> I'm trying to perform EAP-PEAPv1 authentication using Juniper SBR. I have
> EAP-GTC disabled in wpa_supplicant, so in phase-2 when wpa_supp receives
> EAP-GTC proposal, it sends legacy NAK with method MSCHAPv2. In response SBR
> sends a new proposal for MSCHAPv2 but with same identifier value as in the
> last EAP frame. I see wpa_supplicant does not have any check to see if the
> identifier value matches with the one in the last frame received during the
> EAP-PEAP second stage. Is this correct to skip the check ?

which Identifier field are you referring to? The one in the outer header
or the one in the inner (tunneled) one? I would assume that both values
are actually supposed to change in this particular case. However,
wpa_supplicant has a workaround for this enabled by default to
interoperate with deployed authentication servers. Unless disabled
(eap_workaround=0), the EAP message with the same Identifier value is
accepted if it differs from the previous message in any part of the

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list