Any luck with 802.1x authentication using TTLS with MSCHAPv2 ?

Mak Moussa mmoussa at mmoussa.com
Thu Oct 5 09:24:55 CEST 2006 

Hi,

I would appreciate any insight into the 802.1x authentication using TTLS
with MSCHAPv2. Such auth scheme is constantly failing in my wireless setup
with FreeRadius. I tried 3 versions v1.0.5, v1.1.2 and v1.1.3 with not much
luck.

The following authentication schemes worked fine:
1. TTLS w/ MSCHAP from my wireless client to freeradius v1.0.5, v1.1.2,
v1.1.3
2. PEAP w/ MSCHAPv2 with same wireless client to same freeradius versions.
3. TTLS w/ MSCHAPv2 from the same wireless setup to an SBR v5.3

The freeradius debug does indicate successful auth and both MPPE keys sent
to the client.

  modcall[authenticate]: module "mschap" returns ok for request 17
modcall: leaving group MS-CHAP (returns ok) for request 17
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 17
modcall: leaving group authenticate (returns ok) for request 17
Sending Access-Accept of id 21 to 172.16.10.254 port 32777
        MS-MPPE-Recv-Key =
0x6a72b3417ed819d9e4d3e5fa8867d1d8211c41941fe2035d33f24b906b3b4406
        MS-MPPE-Send-Key =
0x29098f385530c131460af68bc229719d9b5b1dea1e70a783f89acac8ea17aa17
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "Moussa"
Finished request 17


However, the client debug shows wpa msg 1 was dropped as follows:

22:53:12.156 ++ EAPOL message received
22:53:12.156 Message dequeued
22:53:12.156 [DTL] Received EAPOL packet
             00000000: 01 03 00 5F FE 00 89 00 20 00 00 00 00 00 00 00
..._.... .......
             00000010: 01 1F 74 D9 48 45 D8 28 4E 3C E4 B3 0B D4 59 3D
..t.HE.(N<....Y=
             00000020: 04 C0 20 9B 00 3A 81 5D EE 4D 90 F1 96 63 98 7B   ..
..:.].M...c.{
             00000030: E5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
             00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
             00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
             00000060: 00 00 00                                          ...

22:53:12.156 [NRM] Processing EAPOL-Key message
22:53:12.156 [DTL] Received replay counter is 0000000000000001
22:53:12.156 [DTL] EAPOL-Key message version = 1
22:53:12.156 [NRM] Processing EAPOL-Key 4-way handshake message 1
22:53:12.156 [NRM] Setting master session key(s)
22:53:12.156 [ERR] Cannot set master key: authentication not complete or
method does not support session keys
22:53:12.156 [ERR] EAPOL-Key pairwise key message 1 discarded: no PMK


If I made a freeradius configuration mistake, TTLS with mschap wouldn't
work.

Any help is very much appreciated.

Mak

More information about the Freeradius-Users mailing list