Here we go, TTLS/PAP works STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): c5 bd 3a 25 91 1b fa 82 01 4c d2 d3 0f 50 b9 69 57 32 5c 19 73 03 2a 02 d2 47 36 bd 0d 79 a7 09 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08 fd fa 5c 6a e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15 decapsulated EAP packet (code=3 id=7 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 PMK from EAPOL - hexdump(len=32): 7e c5 98 86 14 43 b5 20 08 fd fa 5c 6a e6 7c b5 cd 42 aa d5 8f 10 8c b6 9c 01 d3 9a 86 f1 7f 15 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS TTLS/MSCHAPV2 fails STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.02 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=8 len=111) from RADIUS server: EAP-Request-TTLS (21) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=8 method=21 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=111) - Flags 0x80 SSL: TLS Message Length: 101 EAP-TTLS: received 101 bytes encrypted data for Phase 2 EAP-TTLS: Decrypted Phase 2 AVPs - hexdump(len=56): 00 00 00 1a c0 00 00 37 00 00 01 37 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43 38 45 45 34 30 30 38 45 00 EAP-TTLS: AVP: code=26 flags=0xc0 length=55 EAP-TTLS: AVP vendor_id 311 EAP-TTLS: AVP data - hexdump(len=43): 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 43 39 43 38 45 45 34 30 30 38 45 EAP-TTLS: MS-CHAP2-Success - hexdump_ascii(len=43): 49 53 3d 42 46 32 34 44 44 43 43 44 31 46 37 44 IS=BF24DDCCD1F7D 36 39 37 32 45 33 34 37 30 30 42 46 44 30 35 34 6972E34700BFD054 43 39 43 38 45 45 34 30 30 38 45 C9C8EE4008E EAP-TTLS: Invalid authenticator response in Phase 2 MSCHAPV2 success request EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: startWhen --> 0 EAPOL test timed out EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE
Perhaps try it with a Cleartext-Password in the "users" file. i.e. *Without* using ntlm_auth. That works for me, including with eapol_test, and TTLS/EAP-MSCHAPv2.
Can you clarify this setup/change to test? I was pretty sure I needed to use ntlm_auth to auth against AD to test mschapv2
If that still fails, then there's something wrong with the system that breaks the server in 2.0.5.
Running Samba 3.2.0 on Fedora 9
FYI: Unknown network block for the CA_CERT with regards to the eapol test config file
What does that mean? Within the config you provided to for eapol_test at the bottom is a ca_cert declaration that errors out when uncommented
Anyone using FC9 with freeradius 2.0.5 against AD working that I can use to compare? Thanks much appreciated