EAP-PEAP fails when RADIUS server not configured with EAP-TLS as first method



  • I posted a topic in Getting Started called 802.1X questions and think at least part of that post should be labeled a bug.

    I've focused on trying to get EAP-PEAP working and found the following:

    I was running a packet capture on our wireless controller and compared a device using PEAP that works and the LoPy which doesn't.

    Here's a brief description of the flow and what is breaking down.
    A wireless device attempts to associate to the network, starts EAP, and the RADIUS server responds with Access-Challenge and EAP Type = 13 (EAP-TLS). The device receives this challenge, sends back a NAK:

    Extensible Authentication Protocol
        Code: Response (2)
        Id: 2
        Length: 6
        Type: Legacy Nak (Response Only) (3)
        Desired Auth Type: Protected EAP (EAP-PEAP) (25)
    
    

    The process starts over, using EAP-PEAP. The devices authenticates and assocaites.

    For the LoPy, upon receiving the EAP-Request with EAP Type 13 (TLS), it responds with NAK:

    Extensible Authentication Protocol
        Code: Response (2)
        Id: 4
        Length: 9
        Type: Legacy Nak (Response Only) (3)
        Desired Auth Type: Unknown (0)
    

    At this point, the RADIUS server rejects the connection with EAP Type not supported.

    The EAP method order in our RADIUS server is TLS, then PEAP. This is not something I can easily change, nor should I have to.

    The proper response should be for the LoPy to respond to an EAP-TLS challenge with NAK and Desired EAP Type set to PEAP



  • This post is deleted!

 

Pycom on Twitter