PEAPv1/EAP-GTC (Extensible Authentication
Protocol - Generic Token Card) is a network access authentication policy created as an alternative to Microsoft's PEAPv0/MSCHAPv2. This EAP method is intended to be used with Token Cards supporting challenge/response verification. This article discusses how EAP-GTC works and Windows support for this protocol.
How EAP-GTC works
EAP-GTC supports various database identification types which place EAP-GTC as one of the more flexible EAP
flavors, even though it is not commonly supported. Shown in the figure below is a
comparison between EAP-MSCHAPv2 and EAP-GTC in terms of the password types that are
Note: Here is a link to the Meraki support page that discusses WPA2-Enterprise with 802.1X Authentication and the EAP authentication modes that are supported by the Cisco Meraki Cloud controller.
Native Windows support for PEAPv1/EAP-GTC
Although Microsoft operating systems advertise client-side support for PEAP (Protected EAP), Microsoft tunnels the EAP-MSCHAPv2 as the inner authentication protocol and there is no native support for EAP-GTC as an inner authentication protocol. Even if the Authentication server and supplicant are both using PEAP, both sides involved in the 802.1X communication must be using the same inner authentication method.
Note: Though Microsoft co-created the PEAP authentication standard with
Cisco and the RSA, native support for PEAPv1 was never added to MS Windows. Subsequently there is no native support for PEAPv1/EAP-GTC.
There are however many third
party extensions, such as the SecureW2 Enterprise Client, that allow the
creation of network profiles that
support the PEAPv1/EAP-GTC authentication framework on MS Windows.
Listed below is a link to a guide that discusses using third party 802.1X MS Windows client modules that supports less common EAP types like EAP-GTC