Hello,
first of all, how I wished the eduroam howto (http://wiki.freeradius.org/guide/eduroam) was online when I first had to configure freeradius. Lucky those who can start from it: it used to be harder.
Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works.
If I modify the ~/eapol_test/peap-mschapv2.conf file with:
password="iamthewrongpassword"
the request fails after a while, like the server would give the client a second try:
And that's exactly what happens. MSCHAPv2 by default gets back to the client with "Password was wrong, try again." Only if the client says, "no thanks, I'm sure this was the one password I wanted to try" will the conversation be terminated. And only then will you get the reject logs. Of course this doesn't make much sense when *testing* with eapol_test - you've configured it with exactly one password and that's it. That's why wpa_supplicant allows you to send back the "no thanks". Quoting the wpa_supplicant.conf: # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for # EAP-PEAP or "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). # "mschapv2_retry=0" can be used to disable MSCHAPv2 password # retry in authentication failure cases. The retry option in the protocol probably *is* what you want when the real client with an actual human sits on the other end. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66