Skip to main content

 

Cisco Meraki Documentation

PEAPv1/EAP-GTC support on a Windows client

Overview

 PEAPv1/EAP-GTC (Extensible Authentication Protocol - Generic Token Card) is a network access authentication policy created as an alternative to Microsoft's PEAPv0/MSCHAPv2. This EAP method is intended to be used with Token Cards supporting challenge/response verification. This article discusses how EAP-GTC works and Windows support for this protocol.

Note: PEAPv1/EAP-GTC is defined in greater detail in RFC 3748 and PEAPv0/MSCHAPv2 is further described in RFC 2759.

How EAP-GTC works

 EAP-GTC is encapsulated using PEAP (Protected Extensible authentication protocol). PEAP encapsulates EAP-GTC method in an authenticated and encrypted Transport Layer Security (TLS) Tunnel using only a server-side certificate. EAP-GTC is a flexible inner authentication method that allows basic authentication to RADIUS servers and virtually any other type of identity databases including One-time-password (OTP) token servers, LDAP and Novell. 

EAP-GTC supports various database identification types which place EAP-GTC as one of the more flexible EAP flavors, even though it is not commonly supported. Shown in the figure below is a comparison between EAP-MSCHAPv2 and EAP-GTC in terms of the password types that are supported.

Protocol Clear-text NT hash MD5 hash Salted MD5 hash SHA1 hash Slated SHA1 hash UNIX Crypt
EAP-GTC Yes Yes Yes Yes Yes Yes Yes
EAP-MSCHAPv2 Yes Yes No No No No No

 

Note: Refer to the Wireless Encryption and Authentication Overview Meraki support page that discusses WPA2-Enterprise with 802.1X Authentication and the EAP authentication modes that are supported by the Cisco Meraki Cloud controller.

Native Windows support for PEAPv1/EAP-GTC

Although Microsoft operating systems advertise client-side support for PEAP (Protected EAP), Microsoft tunnels the EAP-MSCHAPv2 as the inner authentication protocol and there is no native support for EAP-GTC as an inner authentication protocol. Even if the Authentication server and supplicant are both using PEAP, both sides involved in the 802.1X communication must be using the same inner authentication method. 

Note: Though Microsoft co-created the PEAP authentication standard with Cisco and the RSA, native support for PEAPv1 was never added to MS Windows. Subsequently there is no native support for PEAPv1/EAP-GTC.

There are however many third party extensions, such as the SecureW2 Enterprise Client, that allow the creation of network profiles that support the PEAPv1/EAP-GTC authentication framework on MS Windows.

Listed below is a link to a guide that discusses using third party 802.1X MS Windows client modules that supports less common EAP types like EAP-GTC

http://www.windowsnetworking.com/articles-tutorials/netgeneral/Using-Third-Party-802-1X-Clients-Windows.html

  • Was this article helpful?