OpenLDAP+FreeRadius Encryption

Anirudh Malhotra 8zero2ops at gmail.com
Tue Feb 2 17:14:09 CET 2016 

Did you try changing default peap version to gtc?

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 2 Feb 2016, 21:37 +0530, Greg Mischel Smith<gregms at gmail.com>, wrote:
> > Comment out mschap in your EAP config to disallow negotiation of mschap,
> > they'll try something else...
> 
> That's what I would have thought, but when I try that, I get the following:
> (6) eap : Peer sent method Identity (1)
> (6) ERROR: eap : Tried to start unsupported method (26)
> (6) eap : Failed in EAP select
> (6) [eap] = invalid
> (6) } # authenticate = invalid
> (6) Failed to authenticate the user
> (6) Login incorrect (eap: Tried to start unsupported method (26)):
> [testuser<via Auth-Type = EAP>] (from client WLC port 0 via TLS
> tunnel)
> 
> Happens on Android and Mac. I found that even if I set Android to use
> GTC, when I comment out the mschapv2 { } section in the eap config
> file, it fails.
> 
> Looking at the debug on when it suceeds (without eapchapv2 commented
> out), it still uses eapchapv2 which makes me think that's why it
> fails.
> (6) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (6) authenticate {
> (6) eap : Peer sent method Identity (1)
> (6) eap : Calling eap_mschapv2 to process EAP data
> (6) eap_mschapv2 : Issuing Challenge
> ...
> (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> (7) authenticate {
> (7) eap : Expiring EAP session with state 0xb11fa2d2b117b849
> (7) eap : Finished EAP session with state 0xb11fa2d2b117b849
> (7) eap : Previous EAP request found for state 0xb11fa2d2b117b849,
> released from the list
> (7) eap : Peer sent method NAK (3)
> (7) eap : Found mutually acceptable type GTC (6)
> (7) eap : Calling eap_gtc to process EAP data
> (7) eap_gtc : EXPAND Password:
> (7) eap_gtc : -->Password:
> (7) eap : New EAP session, adding 'State' attribute to reply
> 0xb11fa2d2b016a449
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list