On Tue, 12 Aug 2025 10:09:09 -0000 (UTC)
Stuart Henderson <[email protected]> wrote:
> On 2025-08-12, Olivier Cherrier <[email protected]> wrote:
>> Hi Masahiko,
>>
>> Thanks for your quick answer.
>> What kind of scenarios/equipment's are using EAP-MSCHAPv2 without EAP-PEAP?
>
> I think it's quite common for ppp login (behind npppd etc.)
Generally EAP-MSCHAPv2 may be used for ppp, but npppd doesn't support EAP.
I wrote it for iked. By configuring
authentication-filter * by eap2mschap
authenticate * by file
you can use radiusd instead of writing user/pass in iked.conf.
But, actually it was for the setup like
authentication-filter "" by eap2mschap
authenticate *@local by file
authenticate *@example.jp by radius
this kind of thing. Some EAP clients (Latest IKEv2 client on Android
at least) don't send the username as EAP-Indentify. This prevents
radius proxies from selecting the next server based on the username.
eap2mschap terminates EAP partially to know the username. Yes, it
maybe a very minor scenario.
