Help: EAP-FAST/EAP-MSCHAPv2
Alan DeKok
aland at deployingradius.com
Mon May 24 14:09:11 CEST 2021
On May 24, 2021, at 8:00 AM, manjunatha srinivasan <manjunathan.n at gmail.com> wrote:
> Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable
> connected between supplicant's client and hostapd/freeradius. Note, both
> hostapd and freeradius are running on host - Ubuntu 16.04. Also attached
> log of freeradius.
>
> <wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication
> server(freeradius v3.0.15).
Perhaps try 3.0.22, which was just released. I don't think there's any changes related to FAST, but it can't hurt.
> By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and
> default to gnuTLS. I have re-compiled it, to support openssl (1.1.0) and
> enabled EAP_FAST for testing.
>
> The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and
> EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2.
>
> Please let me know if EAP-MSCHAPv2 is supported in freeradius with
> wpa_supplicant communication.
It should be,
> Below is partial output where error occurs during inner tunnel
> authentication:
>
> ----------------
> 7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: user2
> (7) mschap: Client is using MS-CHAPv2
>
> *(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject
That seems pretty clear. The MS-CHAP code is used for *all* MS-CHAP calculations. So we know that it's correct.
Maybe there's something odd in the EAP-FAST code.
Alan DeKok.
More information about the Freeradius-Users
mailing list