Help: EAP-FAST/EAP-MSCHAPv2

manjunatha srinivasan manjunathan.n at gmail.com
Mon May 24 14:00:56 CEST 2021 

Hi
Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable
connected between  supplicant's client and hostapd/freeradius. Note,  both
hostapd and freeradius are running on host - Ubuntu 16.04. Also attached
log of freeradius.

<wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication
server(freeradius v3.0.15).

By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and
default to gnuTLS.  I have re-compiled it, to support openssl (1.1.0) and
enabled EAP_FAST for testing.

The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and
EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2.

Please let me know if EAP-MSCHAPv2 is supported in freeradius with
wpa_supplicant communication.

Below is wpa_supplincant's  configuration:
-------------
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

ap_scan=0

network=

{   key_mgmt=IEEE8021X
    eap=FAST anonymous_identity="anonymous"
    identity="user2"
    password="user222"
    phase1="fast_provisioning=1"
    phase2="auth=MSCHAPV2"
    pac_file="/tmp/wpa_supplicant.eap-fast-pac"
    ca_cert="/tmp/wpa/ca.pem" eapol_flags=0
}
--------------
Below is partial output where error occurs during inner tunnel
authentication:

----------------
7) mschap: Found Cleartext-Password, hashing to create NT-Password
(7) mschap: Found Cleartext-Password, hashing to create LM-Password
(7) mschap: Creating challenge hash with username: user2
(7) mschap: Client is using MS-CHAPv2

*(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject
(7) } # authenticate = reject
(7) eap: Sending EAP Failure (code 4) ID 147 length 4
(7) eap: Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT

{ (7) attr_filter.access_reject: EXPAND %\{User-Name}
(7) attr_filter.access_reject: --> user2
(7) attr_filter.access_reject: Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) update outer.session-state

{ (7) &Module-Failure-Message := &request:Module-Failure-Message -> *'mschap:
MS-CHAP2-Response is incorrect' (7) }*
# update outer.session-state = noop
(7) } # Post-Auth-Type REJECT = updated
(7) } # server inner-tunnel
(7) Virtual server sending reply
(7) Reply-Message = "Hello, user2"
(7) MS-CHAP-Error = "\223E=691 R=1 C=5246972f1401f7122b3a9da2f0c28f25 V=3
M=Authentication failed"
(7) EAP-Message = 0x04930004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) eap_fast: Got tunneled Access-Reject
(7) eap_fast: Reject
--------------

Below are reference about EAP-FAST limitation with freeradius, please
clarify:

http://w1.fi/cgit/hostap/plain/wpa_supplicant/eap_testing.txt (test report
of wpa_supplincant<->hostapd<-->freeradius)

https://networkradius.com/doc/FreeRADIUS-Implementation-Ch6.pdf (page 46
says it is developed by Cisco and not widely used outside of Cisco
environment).

Thanks & Regards
Manjunatha Srinivasan N

More information about the Freeradius-Users mailing list