PEAPv1(EAP-GTC) config with Cisco ACS

Jouni Malinen j
Mon Mar 16 12:55:24 PDT 2009

On Mon, Mar 16, 2009 at 03:16:36PM -0400, Dan Williams wrote:
> On Mon, 2009-03-16 at 20:55 +0200, Jouni Malinen wrote:
> > On Mon, Mar 16, 2009 at 02:55:00PM +1100, Ben Carbery wrote:
> > 
> > > I am still getting failures after commenting the phase1 line. Can someone
> > > please check these are the right settings for PEAPv1(EAP-GTC)? Note it
> > > should using PAP, not MSCHAP.
> > 
> > >         eap=PEAP
> > >         # phase1="peap_outer_success=0 peaplabel=1"
> > >         phase2="auth=GTC"
> > 
> > Replace that phase2 line with:
> > 
> >         phase2="auth=PAP"
> > 
> > (and you can remove the commented out phase1 line; if peaplabel=1 is
> > used there, it will break interoperability with ACS)
> So his setup really isn't GTC, but PAP, right?  When *is* GTC usually
> used with PEAP?

Oh, sorry, I'm clearly getting confused with the description, so no, the
change I proposed will most certainly not be the correct one. I'm not
sure what the "it should [be] using PAP, not MSCHAP" is trying to say,
but if it means that the authentication server backend require plaintext
password, auth=GTC was likely the correct choice and the configuration
was actually correct in the first place. That auth=PAP would only be
used with EAP-TTLS.

If the connection does not work, the next step would be to take a look
at the wpa_supplicant debug log and if possible, at ACS log to see why
the connection was denied.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list