As far as I've seen MS supplicant implementation of PEAP it only supports MS-CHAPv2 over PEAP. That makes it hard (when even not possible) to authenticate against e.g. an unix passwd-file (or existing ldap directory) as a backend.
You might be right on that EAP /can/ be transported over PEAP as well, but I'm not sure. (I've not looked that much at PEAP since I saw some of its main disadvantages. ;-))
i thought that was the basic idea, otherwise they should call it PCHAP :-)
P.S. (I think there are also problems here since PEAP is terminated at the first RADIUS server (the one where the authenticator checks credentials): using "weak" authentication like PAP when proxy-ing between radius servers opens more possibilities for man-in-the-middle attacks and/or sniffing. I'm not sure again, haven't tested this yet. Maybe I'll look at this later.)
that's not really a PEAP problem though. that's more about RADIUS security in that case. (anyway, i wouldn't proxy radius packets over the internet directly, i would always use ipsec under it... hmac-md5 based security is not really the state of the art)
ciao artur
-- Artur Hecker D�partement Informatique et R�seaux, ENST Paris http://www.infres.enst.fr/~hecker
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
