Thank you Masahiko and Stuart for the appreciated explanations.
Olivier Cherrier
Phone: +352691570680
mailto:o...@symacx.com
On 8/12/25 7:32 PM, YASUOKA Masahiko wrote:
On Tue, 12 Aug 2025 10:09:09 -0000 (UTC)
Stuart Henderson <stu.li...@spacehopper.org> wrote:
On 2025-08-12, Olivier Cherrier <o...@symacx.com> wrote:
Hi Masahiko,
Thanks for your quick answer.
What kind of scenarios/equipment's are using EAP-MSCHAPv2 without EAP-PEAP?
I think it's quite common for ppp login (behind npppd etc.)
Generally EAP-MSCHAPv2 may be used for ppp, but npppd doesn't support EAP.
I wrote it for iked. By configuring
authentication-filter * by eap2mschap
authenticate * by file
you can use radiusd instead of writing user/pass in iked.conf.
But, actually it was for the setup like
authentication-filter "" by eap2mschap
authenticate *@local by file
authenticate *@example.jp by radius
this kind of thing. Some EAP clients (Latest IKEv2 client on Android
at least) don't send the username as EAP-Indentify. This prevents
radius proxies from selecting the next server based on the username.
eap2mschap terminates EAP partially to know the username. Yes, it
maybe a very minor scenario.
