rlm_eap_peap

Synopsis

The PEAP module implements the EAP-PEAP protocol, which is Micosoft’s version of TLS inside of EAP.

Caution

!!!!! WARNINGS for Windows compatibility !!!!!

If you see the server send an Access-Challenge and the client never sends another Access-Request, then

Warning

STOP!

The server certificate has to have special OIDs in it or else the Microsoft clients will silently fail. See the scripts/xpextensions file for details, as well as the following page:

http://support.microsoft.com/kb/814394/en-us

For additional Windows XP SP2 issues, see:

http://support.microsoft.com/kb/885453/en-us

If the above still doesn’t work and Samba is used, the problem may be a Samba bug. See:

https://bugzilla.samba.org/show_bug.cgi?id=6563`

Note	we do not necessarily agree with their explanation… but the fix does appear to work.

The tunnelled EAP session needs a default EAP type that is separate from the one for the non-tunnelled EAP module. Inside of the TLS/PEAP tunnel, EAP-MS-CHAPv2 is recommended.

Processing Sections

None. This is a sub-module of eap, and cannot be used on its own.

Expansions

None.

Directives

copy_request_to_tunnel

Syntax: copy_request_to_tunnel = boolean
Default: no
Description: The tunneled authentication request does not usually contain useful attributes like Calling-Station-Id, etc. These attributes are outside of the tunnel. By setting this configuration entry to yes, any attribute which is not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request.

This directive should be set to yes only for compatibility. In version 2 and later, the outer attributes can be referred to from the inner session, by using outer.request:Attribute-Name. See the unlang documentation for more information on attribute references.

This directive is the same as in the the EAP TTLS module, and is the same in both modules.

default_eap_type

Syntax: default_eap_type = string
Default: mschapv2
Description: The tunnelled EAP session needs a default EAP type that is separate from the one for the non-tunnelled EAP module. Inside of the EAP PEAP tunnel, we recommend using EAP-MS-CHAPv2, as that is the default type supported by Windows clients.

proxy_tunneled_request_as_eap

Syntax: proxy_tunneled_request_as_eap = boolean
Default: yes
Description: When the tunnelled session is proxied, the home server may not understand EAP-MS-CHAPv2. Set this entry to no to proxy the tunnelled EAP-MS-CHAPv2 as normal MSCHAPv2.

require_client_cert

Syntax: require_client_cert = boolean
Default: yes
Description: Unlike EAP-TLS, PEAP does not require a client certificate. However, you can require one by setting require_client_cert to yes. You can also override this option by setting EAP-TLS-Require-Client-Cert = Yes in the control items for a request.

soh

Syntax: soh = boolean
Default: no
Description: This option enables support for MS-SoH; see doc/SoH.txt for more info. It is disabled by default.

soh_virtual_server

Syntax: soh_virtual_server = string
Default: soh-server
Description: The SoH reply will be turned into a request which can be sent to a specific virtual server.

tls

Syntax: tls = string

Default: tls_common

Description: Points to the common TLS configuration, which is documented in tls-common.

use_tunneled_reply

Syntax: use_tunneled_reply = boolean
Default: no
Description: This configuration directive is found in both the PEAP module and in the EAP-TTLS module, and is the same in both modules.

virtual_server

Syntax: virtual_server = string
Default: inner-tunnel
Description: The inner tunnelled request can be sent through a virtual server constructed specifically for this purpose. If this entry is commented out, the inner tunnelled request will be sent through the virtual server that processed the outer requests.