Phil Mayers wrote: > PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no > "bare" MSCHAP variant, because there's no spec for how to derive the > MSCHAP challenge from the TLS master secret.
FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP / MS-CHAP inside the tunnel. It *has* to be EAP. > Microsoft could solve a lot of problems right now by providing an API to > execute EAP-PWD with the NT-hash variant of the secret against an AD > controller. Instead, we're all flailing around with the very best of > early 90s crypto protecting our wireless :o( Pretty much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html