And the answer yet again is FIPS. - I spun up a new RHEL8 image from the RedHat AMI in AWS - Installed the FreeRADIUS 3.2.7 RPMs and the distro version of the wpa_supplicant - Tested, worked as expected with the default configuration - Run /bin/fips-mode-setup --enable and reboot when ready - Test again, I get the "invalid Message-Authenticator" nonsense when testing with the exact same configuration. Again, I think the problem is in wpa_authenticator/eapol_test since I've got EAP-TLS working with FIPs mode and RHEL8 elsewhere, but thought I'd reply as informational to the list. On Fri, Feb 21, 2025 at 2:30 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I'd agree but the same shared secret works for radclient - they are both using testing123 with the default localhost client setup.
On Fri, Feb 21, 2025 at 2:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2025, at 12:33 PM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I must be cursed - test install with the default site on a RHEL8 host, FreeRADIUS 3.2.7 built from source, running eapol_test locally on the server:
(0) Received Access-Request Id 0 from 127.0.0.1:58220 to 127.0.0.1:1812 length 134 Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client localhost)
Then the shared secret is wrong. eapol_test works for me in my testing. And the FreeRADIUS build system runs it multiple ties a day.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html