rlm_eap_peap

Synopsis

The PEAP module implements the EAP-PEAP protocol, which is Micosoft’s version of TLS inside of EAP.

Caution
!!!!! WARNINGS for Windows compatibility !!!!!

If you see the server send an Access-Challenge and the client never sends another Access-Request, then

Warning
STOP!

The server certificate has to have special OIDs in it or else the Microsoft clients will silently fail. See the scripts/xpextensions file for details, as well as the following page:

For additional Windows XP SP2 issues, see:

If the above still doesn’t work and Samba is used, the problem may be a Samba bug. See:

Note
we do not necessarily agree with their explanation…​ but the fix does appear to work.

The tunnelled EAP session needs a default EAP type that is separate from the one for the non-tunnelled EAP module. Inside of the TLS/PEAP tunnel, EAP-MS-CHAPv2 is recommended.

Processing Sections

None. This is a sub-module of eap, and cannot be used on its own.

Expansions

None.

Directives

copy_request_to_tunnel
Syntax

copy_request_to_tunnel = boolean

Default

no

Description

The tunneled authentication request does not usually contain useful attributes like Calling-Station-Id, etc. These attributes are outside of the tunnel. By setting this configuration entry to yes, any attribute which is not in the tunneled authentication request, but which is available outside of the tunnel, is copied to the tunneled request.

This directive should be set to yes only for compatibility. In version 2 and later, the outer attributes can be referred to from the inner session, by using outer.request:Attribute-Name. See the unlang documentation for more information on attribute references.

This directive is the same as in the the EAP TTLS module, and is the same in both modules.

default_eap_type
Syntax

default_eap_type = string

Default

mschapv2

Description

The tunnelled EAP session needs a default EAP type that is separate from the one for the non-tunnelled EAP module. Inside of the EAP PEAP tunnel, we recommend using EAP-MS-CHAPv2, as that is the default type supported by Windows clients.

proxy_tunneled_request_as_eap
Syntax

proxy_tunneled_request_as_eap = boolean

Default

yes

Description

When the tunnelled session is proxied, the home server may not understand EAP-MS-CHAPv2. Set this entry to no to proxy the tunnelled EAP-MS-CHAPv2 as normal MSCHAPv2.

require_client_cert
Syntax

require_client_cert = boolean

Default

yes

Description

Unlike EAP-TLS, PEAP does not require a client certificate. However, you can require one by setting require_client_cert to yes. You can also override this option by setting EAP-TLS-Require-Client-Cert = Yes in the control items for a request.

soh
Syntax

soh = boolean

Default

no

Description

This option enables support for MS-SoH; see doc/SoH.txt for more info. It is disabled by default.

soh_virtual_server
Syntax

soh_virtual_server = string

Default

soh-server

Description

The SoH reply will be turned into a request which can be sent to a specific virtual server.

tls
Syntax

tls = string

Default: tls_common

Description

Points to the common TLS configuration, which is documented in tls-common.

use_tunneled_reply
Syntax

use_tunneled_reply = boolean

Default

no

Description

This configuration directive is found in both the PEAP module and in the EAP-TTLS module, and is the same in both modules.

virtual_server
Syntax

virtual_server = string

Default

inner-tunnel

Description

The inner tunnelled request can be sent through a virtual server constructed specifically for this purpose. If this entry is commented out, the inner tunnelled request will be sent through the virtual server that processed the outer requests.