Hi,
I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2) against freeradius-2.2.8 and the following cases are failing with "
Does 2.2.x support TLS 1.2 anyway? It is really time to move on to 3.0.x these days... Greetings, Stefan Winter
[ttls] Tunneled challenge is incorrect": EAP-TTLS/CHAP EAP-TTLS/MSCHAP EAP-TTLS/MSCHAPv2 Interestingly the same tests with eapol_test from wpa_supplicat-2.4 (that is using TLS-1.0) are fine.
I would be surprised if I was the first who tried to run these tests. Does anybody experienced the same issue? For configuration and test results please refer to the attached file.
radiusd in debug mode write this: ... [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Tunneled challenge is incorrect [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [eap] Reply already contained an EAP-Message, not inserting EAP-Failure ++[eap] = noop [attr_filter.access_reject] expand: %{User-Name} -> anonymous attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 6 to 127.0.0.1 port 49816 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000
The test configuration files looks like this: # cat EAP-TTLS_CHAP.conf ctrl_interface=wpa_supplicant.ctrl network={ ssid="QA test 802.1x network" key_mgmt=IEEE8021X eap=TTLS phase2="auth=CHAP" identity="testuser" anonymous_identity="anonymous" password="testpwd" ca_cert="/etc/raddb/certs/ca.pem" ca_cert2="/etc/raddb/certs/ca.pem" }
The raiusd has the default configuration except: /etc/raddb/modules/mschap /etc/raddb/modules/pap /etc/raddb/eap.conf /etc/raddb/users and test certificates were created and added. For the details please see the attached file.
The wpa_supplicant was built with the provided "defconfig" configuration.
Regards, Patrik Kis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66