<div dir="ltr"><div><div><div><div><div><div><br></div>Hi Stefan,<br><br></div>Thank you for reply.<br></div>But By default FR takes MS-CHAPv2. How to configure to GTC/PAP?<br><br></div><div>However i will try FR connects to samba or active directory.<br>
</div><br></div>Regards<br></div>Ammu<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 8, 2014 at 3:30 PM, <span dir="ltr"><<a href="mailto:freeradius-devel-request@lists.freeradius.org" target="_blank">freeradius-devel-request@lists.freeradius.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Freeradius-Devel mailing list submissions to<br>
<a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.freeradius.org/mailman/listinfo/freeradius-devel" target="_blank">http://lists.freeradius.org/mailman/listinfo/freeradius-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeradius-devel-request@lists.freeradius.org">freeradius-devel-request@lists.freeradius.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeradius-devel-owner@lists.freeradius.org">freeradius-devel-owner@lists.freeradius.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Freeradius-Devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. RE: EAP-FAST phase2 failed (Stefan Paetow)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 7 Aug 2014 21:25:46 +0000<br>
From: Stefan Paetow <<a href="mailto:Stefan.Paetow@ja.net">Stefan.Paetow@ja.net</a>><br>
To: FreeRadius developers mailing list<br>
<<a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a>><br>
Subject: RE: EAP-FAST phase2 failed<br>
Message-ID: <C072996E0B81144DBB9426B44462540C0D6935BF@EXC001><br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
The log says this:<br>
<br>
EAP-MSCHAPV2: eap_server Password not configured<br>
EAP-FAST: Phase2 method failed<br>
EAP-FAST: PHASE2_METHOD -> FAILURE<br>
<br>
Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2).<br>
<br>
Stefan<br>
<br>
________________________________<br>
From: freeradius-devel-bounces+stefan.paetow=<a href="mailto:ja.net@lists.freeradius.org">ja.net@lists.freeradius.org</a> [freeradius-devel-bounces+stefan.paetow=<a href="mailto:ja.net@lists.freeradius.org">ja.net@lists.freeradius.org</a>] on behalf of Ammu Argh [<a href="mailto:ammu3634@gmail.com">ammu3634@gmail.com</a>]<br>
Sent: 07 August 2014 17:16<br>
To: <a href="mailto:freeradius-devel@lists.freeradius.org">freeradius-devel@lists.freeradius.org</a><br>
Subject: EAP-FAST phase2 failed<br>
<br>
Hi,<br>
<br>
I was trying to connect to AP using EAP-FAST authentication.<br>
But Freeradius EAP-FAST failed with below error:<br>
<br>
State = 0x97d5bb340dc1cb0c525e6b44738f3553<br>
Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb<br>
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>
+group authorize {<br>
++[preprocess] = ok<br>
++[chap] = noop<br>
++[mschap] = noop<br>
++[digest] = noop<br>
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>
++[suffix] = noop<br>
[eap] EAP packet type response id 4 length 107<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] = updated<br>
[files] users: Matched entry DEFAULT at line 202<br>
++[files] = ok<br>
++[expiration] = noop<br>
++[logintime] = noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] = noop<br>
+} # group authorize = updated<br>
Found Auth-Type = EAP<br>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
+group EAP {<br>
[eap2] Request found, released from the list<br>
EAP: EAP entering state RECEIVED<br>
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0<br>
EAP: EAP entering state INTEGRITY_CHECK<br>
EAP: EAP entering state METHOD_RESPONSE<br>
SSL: Received packet(len=107) - Flags 0x01<br>
SSL: Received packet: Flags 0x1 Message Length 0<br>
EAP-FAST: Received 101 bytes encrypted data for Phase 2<br>
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]<br>
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)<br>
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69<br>
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63<br>
EAP-MSCHAPV2: eap_server Password not configured<br>
EAP-FAST: Phase2 method failed<br>
EAP-FAST: PHASE2_METHOD -> FAILURE<br>
EAP: EAP entering state SELECT_ACTION<br>
EAP: getDecision: method failed -> FAILURE<br>
EAP: EAP entering state FAILURE<br>
EAP: Building EAP-Failure (id=4)<br>
==> Fail<br>
[eap2] Freeing handler<br>
EAP: Server state machine removed<br>
++[eap2] = reject<br>
+} # group EAP = reject<br>
Failed to authenticate the user.<br>
Using Post-Auth-Type REJECT<br>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>
+group REJECT {<br>
[attr_filter.access_reject] expand: %{User-Name} -> anonymous<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] = updated<br>
+} # group REJECT = updated<br>
Delaying reject of request 4 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 4<br>
Sending Access-Reject of id 117 to 10.10.2.2 port 46531<br>
EAP-Message = 0x04040004<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
Waking up in 3.9 seconds.<br>
<br>
<br>
Other details are as below"<br>
<br>
Users file"<br>
wifi Auth-Type := EAP, Cleartext-Password := "welcome123"<br>
<br>
eap.conf<br>
eap2 {<br>
fast {<br>
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f<br>
eap_fast_a_id = tjsys<br>
eap_fast_a_id_info = my_server<br>
eap_fast_prov = 3<br>
pac_key_lifetime = 604800 # 7 days<br>
pac_key_refresh_tim = 86400<br>
}<br>
<br>
tls {<br>
ca_cert = /usr/local/etc/raddb/certs/ca.pem<br>
server_cert = /usr/local/etc/raddb/certs/server.pem<br>
private_key_file = /usr/local/etc/raddb/certs/server.key<br>
private_key_password = whatever<br>
dh_file = /usr/local/etc/raddb/certs/dh<br>
random_file = /usr/local/etc/raddb/certs/random<br>
}<br>
}<br>
<br>
<br>
Sites-enabled/default:<br>
Added in authenticate block<br>
Auth-Type EAP {<br>
eap2<br>
}<br>
<br>
<br>
<br>
wpa_supplicant.conf<br>
update_config=1<br>
ap_scan=1<br>
fast_reauth=1<br>
<br>
network={<br>
ssid="WiFi-11g"<br>
key_mgmt=WPA-EAP<br>
proto=WPA<br>
pairwise=TKIP<br>
group=TKIP<br>
eap=FAST<br>
anonymous_identity="fast"<br>
identity="fast"<br>
password="koro"<br>
phase1="fast_provisioning=3"<br>
pac_file="/data/misc/wifi/eap_fast.pac"<br>
}<br>
<br>
<br>
<br>
FreeRADIUS Version 2.2.5,<br>
OpenSSL 1.0.1e 11<br>
Ubuntu 14.04.1<br>
<br>
Please help me to get it work.<br>
<br>
Regards<br>
Ammu<br>
<br>
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a<br>
not-for-profit company which is registered in England under No. 2881024<br>
and whose Registered Office is at Lumen House, Library Avenue,<br>
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238<br>
<br>
<br>
<br>
------------------------------<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/devel.html" target="_blank">http://www.freeradius.org/list/devel.html</a><br>
<br>
<br>
End of Freeradius-Devel Digest, Vol 112, Issue 6<br>
************************************************<br>
</blockquote></div><br></div>