PEAP versions

Jouni Malinen j at
Thu Mar 2 11:00:32 PST 2017

On Thu, Mar 02, 2017 at 05:13:27PM +0200, Khali Singh wrote:
> Continuing on my previous question, on the list of supported EAP
> methods in wpa_supplicant, the following are mentioned:
> EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
> EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
> EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
> EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
> EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
> But I thought PEAPv0 is from Microsoft and meant for MSCHAPv2 while
> PEAPv1 is from Cisco and was defined for support for GTC.

Maybe so initially, but there is nothing in either design preventing
other inner methods from being used in Phase 2.

> And how does
> PEAPv2 fit into the picture? Does it provide more security by binding
> the inner authentication to the outer server TLS authentication?

It does not really fit the picture since no one seems to be implementing
or deploying it nor does there seem to be effort in completing a
specification for it.

By the way, Microsoft has added crypto binding into PEAPv0.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list