Check for identifier in EAP-PEAP phase-2

paul peterson paul.petersn
Mon Sep 27 01:17:23 PDT 2010

I'm referring to identifier in the inner (tunneled) one. So once EAP-TLS is
successfully over, Juniper SBR sends proposal for EAP-GTC with identifier
value 2, in response wpa_supplicant sends legacy NAK with EAP-MSCHAPv2 as a
supported method, and then Juniper SBR proposes EAP-MSCHAPv2 with identifier
value 2 again. In spite of same identifier value i.e. 2 in two consecutive
EAP frames from SBR, wpa_supplicant accomplishes EAP-MSCHAPv2 successfully.

- Paul

On Sat, Sep 25, 2010 at 12:19 AM, paul peterson <paul.petersn at>wrote:

> Hi,
> I'm trying to perform EAP-PEAPv1 authentication using Juniper SBR. I have
> EAP-GTC disabled in wpa_supplicant, so in phase-2 when wpa_supp receives
> EAP-GTC proposal, it sends legacy NAK with method MSCHAPv2. In response SBR
> sends a new proposal for MSCHAPv2 but with same identifier value as in the
> last EAP frame. I see wpa_supplicant does not have any check to see if the
> identifier value matches with the one in the last frame received during the
> EAP-PEAP second stage. Is this correct to skip the check ?
> - Paul
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the Hostap mailing list