Does anyone know what the V1 / V2 versions of the 802.1x mean for setting up a wireless network with WPA2 Enterprise?
In the manual it states only that:
“When WPA/WPA2 - Enterprise is configured, RADIUS-based 802.1 x authentication is enabled. Under this configuration, the Shared Key option should be disabled. When using this method, select the appropriate version using the V1/V2 controls. The security level of this method is known to be very high.”
I tried both settings with a MacBook Pro wireless client (OS X 10.14) and it only seems to work with V1.
My other WPA2 settings are EAP-PEAP and MSCHAP v2.
I assume that this has to do with the IEEE Std 802.1x revisions authentication method:
Protocols like EAP (Extensible Authentication Protocol) enable the negotiation of the authentication method before the actual authentication process has begun. Version 2 is newer.
EAP-PEAP uses TLS to create an encrypted tunnel. Within the tunnel, one of the following “inner EAP” methods is used:
V1: EAP-Generic Token Card (GTC): Described in RFC 2284, this EAP method permits the transfer of unencrypted usernames and passwords from client to server. The main uses for EAP-GTC are one-time token cards such as SecureID and the use of an LDAP or RADIUS server as the user authentication server. You can also enable caching of user credentials on the controller as a backup to an external authentication server.
V2: EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2): Described in RFC 2759, this EAP method is widely supported by Microsoft clients. A RADIUS server must be used as the backend authentication server.
I’d recommend V2 for current setups in SOHO networks.
RADIUS accounting is defined in RFC 2866. Accounting means that after authentication and authorization, the time period for which a person is on the network is recorded for each person. This metadata is often used for network monitoring and statistics, or to bill people for network usage.
So for a usual home / SOHO network using a NAS as RADIUS server it is sufficient to configure
an Authentication Server (Port 1812) only using Peplinks Router config setting “Network → Misc. Settings → Radius-Server”. You don’t need to configure the “Accounting Server” (Port 1813).