On Apr 20, 2018, at 8:34 AM, Francesco Malvezzi <francesco.malvezzi@unimore.it> wrote:
Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works.
That's good.
If I modify the ~/eapol_test/peap-mschapv2.conf file with:
password="iamthewrongpassword"
the request fails after a while, like the server would give the client a second try:
eapol logs: [...] EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed, error 691) EAPOL: EAP parameter needed [...] and it takes 30 secs to issue the "FAILURE" line.
Then you edited your configuration and broke something. The default configuration does *not* do password changes over MSCHAP. The default configuration does *not* wait 30 seconds to reject a user. Edit the "mschap" module configuration, and disable password changes.
Why am I missing the: linelog_send_reject from my logs?
I have no idea. Is it supposed to be there? Why?
If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log line (when password is wrong). And the client takes only one sec to tell me there is a failure.
What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch),
You're not describing what you want to do. Therefore we have no idea what you're doing wrong, if anything. Alan DeKok.