Home > General Administration > Other Topics > PEAPv1/EAP-GTC support on a Windows client

PEAPv1/EAP-GTC support on a Windows client

Table of contents
No headers

Overview

 

PEAPv1/EAP-GTC (Extensible Authentication Protocol - Generic Token Card) is a network access authentication policy created as an alternative to Microsoft's PEAPv0/MSCHAPv2. This EAP method is intended to be used with Token Cards supporting challenge/response verification. This article discusses how EAP-GTC works and Windows support for this protocol.


Note: PEAPv1/EAP-GTC is defined in greater detail in RFC 3748 http://tools.ietf.org/html/rfc3748 and PEAPv0/MSCHAPv2 is further described in RFC 2759 http://tools.ietf.org/html/rfc2759

 

How EAP-GTC works

 EAP-GTC is encapsulated using PEAP (Protected Extensible authentication protocol). PEAP encapsulates EAP-GTC method in an authenticated and encrypted Transport Layer Security (TLS) Tunnel using only a server-side certificate. EAP-GTC is a flexible inner authentication method that allows basic authentication to RADIUS servers and virtually any other type of identity databases including One-time-password (OTP) token servers, LDAP and Novell. 

EAP-GTC supports various database identification types which place EAP-GTC as one of the more flexible EAP flavors, even though it is not commonly supported. Shown in the figure below is a comparison between EAP-MSCHAPv2 and EAP-GTC in terms of the password types that are supported.


 f3eac3b6-5ea6-458f-ab69-046d1823778e








Note: Here is a link to the Meraki support page that discusses WPA2-Enterprise with 802.1X Authentication and the EAP authentication modes that are supported by the Cisco Meraki Cloud controller.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Wireless_Encryption_and_Authentication_Overview


Native Windows support for PEAPv1/EAP-GTC


Although Microsoft operating systems advertise client-side support for PEAP (Protected EAP), Microsoft tunnels the EAP-MSCHAPv2 as the inner authentication protocol and there is no native support for EAP-GTC as an inner authentication protocol. Even if the Authentication server and supplicant are both using PEAP, both sides involved in the 802.1X communication must be using the same inner authentication method. 


Note: Though Microsoft co-created the PEAP authentication standard with Cisco and the RSA, native support for PEAPv1 was never added to MS Windows. Subsequently there is no native support for PEAPv1/EAP-GTC.

 

There are however many third party extensions, such as the SecureW2 Enterprise Client, that allow the creation of network profiles that support the PEAPv1/EAP-GTC authentication framework on MS Windows.


Listed below is a link to a guide that discusses using third party 802.1X MS Windows client modules that supports less common EAP types like EAP-GTC

http://www.windowsnetworking.com/articles-tutorials/netgeneral/Using-Third-Party-802-1X-Clients-Windows.html


 

Additional Resources

Configuring PEAPv0/EAP-MSCHAPv2

Configuring EAP-TLS

Using certificates with IEEE 802.1x authentication

 


 

You must to post a comment.
Last modified
19:20, 9 Feb 2016

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community