Hi Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable connected between supplicant's client and hostapd/freeradius. Note, both hostapd and freeradius are running on host - Ubuntu 16.04. Also attached log of freeradius. <wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication server(freeradius v3.0.15). By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and default to gnuTLS. I have re-compiled it, to support openssl (1.1.0) and enabled EAP_FAST for testing. The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2. Please let me know if EAP-MSCHAPv2 is supported in freeradius with wpa_supplicant communication. Below is wpa_supplincant's configuration: ------------- ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 ap_scan=0 network= { key_mgmt=IEEE8021X eap=FAST anonymous_identity="anonymous" identity="user2" password="user222" phase1="fast_provisioning=1" phase2="auth=MSCHAPV2" pac_file="/tmp/wpa_supplicant.eap-fast-pac" ca_cert="/tmp/wpa/ca.pem" eapol_flags=0 } -------------- Below is partial output where error occurs during inner tunnel authentication: ---------------- 7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: user2 (7) mschap: Client is using MS-CHAPv2 *(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 147 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %\{User-Name} (7) attr_filter.access_reject: --> user2 (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> *'mschap: MS-CHAP2-Response is incorrect' (7) }* # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) Reply-Message = "Hello, user2" (7) MS-CHAP-Error = "\223E=691 R=1 C=5246972f1401f7122b3a9da2f0c28f25 V=3 M=Authentication failed" (7) EAP-Message = 0x04930004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_fast: Got tunneled Access-Reject (7) eap_fast: Reject -------------- Below are reference about EAP-FAST limitation with freeradius, please clarify: http://w1.fi/cgit/hostap/plain/wpa_supplicant/eap_testing.txt (test report of wpa_supplincant<->hostapd<-->freeradius) https://networkradius.com/doc/FreeRADIUS-Implementation-Ch6.pdf (page 46 says it is developed by Cisco and not widely used outside of Cisco environment). Thanks & Regards Manjunatha Srinivasan N