MS-CHAP2-Request is rejected

Alan DeKok aland at deployingradius.com
Wed May 22 00:10:05 CEST 2019


On May 21, 2019, at 3:33 PM, william steen via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Thank you for the observations. Mea cupla - the password was wrong. Having corrected that I am getting a WICED 1064 error back on the device which I believe means EAPOL_KEY_FAILURE. I am really struggling the read the full debug and understand why it is not working. I can’t see anything in the output that says it is not working in fact I see at the end SUCCESS - so is this a device issue?

  You see MS-CHAP success, but the client doesn't send any more packets.  Which means that the device doesn't like the MS-CHAP success, and has dropped the authentication session.

  It's hard to understand why it's not working from the debug log.  Because the error messages are on the device, and not in the debug log.  The only signal that's in the debug log is the *absence* of continued packets from the device.

  Which then means that the device didn't like *something* about the exchange.  Since the last packet was sending MS-CHAP success, it means that the device didn't like the MS-CHAP success.

  Why?  Magic.  The error message is buried in the device.  And Microsoft is very good about giving the user *zero* useful information.

  Alan DeKok.




More information about the Freeradius-Users mailing list