Hi, I was trying to connect to AP using EAP-FAST authentication. But Freeradius EAP-FAST failed with below error: State = 0x97d5bb340dc1cb0c525e6b44738f3553 Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 202 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group EAP { [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=107) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 101 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69 EAP-FAST: Received Phase 2: code=2 identifier=4 length=63 EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE EAP: EAP entering state SELECT_ACTION EAP: getDecision: method failed -> FAILURE EAP: EAP entering state FAILURE EAP: Building EAP-Failure (id=4) ==> Fail [eap2] Freeing handler EAP: Server state machine removed ++[eap2] = reject +} # group EAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 117 to 10.10.2.2 port 46531 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Other details are as below" Users file" wifi Auth-Type := EAP, Cleartext-Password := "welcome123" eap.conf eap2 { fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = tjsys eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 } tls { ca_cert = /usr/local/etc/raddb/certs/ca.pem server_cert = /usr/local/etc/raddb/certs/server.pem private_key_file = /usr/local/etc/raddb/certs/server.key private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } } Sites-enabled/default: Added in authenticate block Auth-Type EAP { eap2 } wpa_supplicant.conf update_config=1 ap_scan=1 fast_reauth=1 network={ ssid="WiFi-11g" key_mgmt=WPA-EAP proto=WPA pairwise=TKIP group=TKIP eap=FAST anonymous_identity="fast" identity="fast" password="koro" phase1="fast_provisioning=3" pac_file="/data/misc/wifi/eap_fast.pac" } FreeRADIUS Version 2.2.5, OpenSSL 1.0.1e 11 Ubuntu 14.04.1 Please help me to get it work. Regards Ammu
The log says this: EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as the second phase, or connect FR to SAMBA or Active Directory (which both speak MSCHAPv2). Stefan ________________________________ From: freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Ammu Argh [ammu3634@gmail.com] Sent: 07 August 2014 17:16 To: freeradius-devel@lists.freeradius.org Subject: EAP-FAST phase2 failed Hi, I was trying to connect to AP using EAP-FAST authentication. But Freeradius EAP-FAST failed with below error: State = 0x97d5bb340dc1cb0c525e6b44738f3553 Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry DEFAULT at line 202 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group EAP { [eap2] Request found, released from the list EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE SSL: Received packet(len=107) - Flags 0x01 SSL: Received packet: Flags 0x1 Message Length 0 EAP-FAST: Received 101 bytes encrypted data for Phase 2 EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED] EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory) EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69 EAP-FAST: Received Phase 2: code=2 identifier=4 length=63 EAP-MSCHAPV2: eap_server Password not configured EAP-FAST: Phase2 method failed EAP-FAST: PHASE2_METHOD -> FAILURE EAP: EAP entering state SELECT_ACTION EAP: getDecision: method failed -> FAILURE EAP: EAP entering state FAILURE EAP: Building EAP-Failure (id=4) ==> Fail [eap2] Freeing handler EAP: Server state machine removed ++[eap2] = reject +} # group EAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 117 to 10.10.2.2 port 46531 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Other details are as below" Users file" wifi Auth-Type := EAP, Cleartext-Password := "welcome123" eap.conf eap2 { fast { pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f eap_fast_a_id = tjsys eap_fast_a_id_info = my_server eap_fast_prov = 3 pac_key_lifetime = 604800 # 7 days pac_key_refresh_tim = 86400 } tls { ca_cert = /usr/local/etc/raddb/certs/ca.pem server_cert = /usr/local/etc/raddb/certs/server.pem private_key_file = /usr/local/etc/raddb/certs/server.key private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random } } Sites-enabled/default: Added in authenticate block Auth-Type EAP { eap2 } wpa_supplicant.conf update_config=1 ap_scan=1 fast_reauth=1 network={ ssid="WiFi-11g" key_mgmt=WPA-EAP proto=WPA pairwise=TKIP group=TKIP eap=FAST anonymous_identity="fast" identity="fast" password="koro" phase1="fast_provisioning=3" pac_file="/data/misc/wifi/eap_fast.pac" } FreeRADIUS Version 2.2.5, OpenSSL 1.0.1e 11 Ubuntu 14.04.1 Please help me to get it work. Regards Ammu Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (2)
-
Ammu Argh -
Stefan Paetow