Hi Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable connected between supplicant's client and hostapd/freeradius. Note, both hostapd and freeradius are running on host - Ubuntu 16.04. Also attached log of freeradius. <wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication server(freeradius v3.0.15). By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and default to gnuTLS. I have re-compiled it, to support openssl (1.1.0) and enabled EAP_FAST for testing. The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2. Please let me know if EAP-MSCHAPv2 is supported in freeradius with wpa_supplicant communication. Below is wpa_supplincant's configuration: ------------- ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 ap_scan=0 network= { key_mgmt=IEEE8021X eap=FAST anonymous_identity="anonymous" identity="user2" password="user222" phase1="fast_provisioning=1" phase2="auth=MSCHAPV2" pac_file="/tmp/wpa_supplicant.eap-fast-pac" ca_cert="/tmp/wpa/ca.pem" eapol_flags=0 } -------------- Below is partial output where error occurs during inner tunnel authentication: ---------------- 7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: user2 (7) mschap: Client is using MS-CHAPv2 *(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject (7) } # authenticate = reject (7) eap: Sending EAP Failure (code 4) ID 147 length 4 (7) eap: Freeing handler (7) [eap] = reject (7) } # authenticate = reject (7) Failed to authenticate the user (7) Using Post-Auth-Type Reject (7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (7) Post-Auth-Type REJECT { (7) attr_filter.access_reject: EXPAND %\{User-Name} (7) attr_filter.access_reject: --> user2 (7) attr_filter.access_reject: Matched entry DEFAULT at line 11 (7) [attr_filter.access_reject] = updated (7) update outer.session-state { (7) &Module-Failure-Message := &request:Module-Failure-Message -> *'mschap: MS-CHAP2-Response is incorrect' (7) }* # update outer.session-state = noop (7) } # Post-Auth-Type REJECT = updated (7) } # server inner-tunnel (7) Virtual server sending reply (7) Reply-Message = "Hello, user2" (7) MS-CHAP-Error = "\223E=691 R=1 C=5246972f1401f7122b3a9da2f0c28f25 V=3 M=Authentication failed" (7) EAP-Message = 0x04930004 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) eap_fast: Got tunneled Access-Reject (7) eap_fast: Reject -------------- Below are reference about EAP-FAST limitation with freeradius, please clarify: http://w1.fi/cgit/hostap/plain/wpa_supplicant/eap_testing.txt (test report of wpa_supplincant<->hostapd<-->freeradius) https://networkradius.com/doc/FreeRADIUS-Implementation-Ch6.pdf (page 46 says it is developed by Cisco and not widely used outside of Cisco environment). Thanks & Regards Manjunatha Srinivasan N
On May 24, 2021, at 8:00 AM, manjunatha srinivasan <manjunathan.n@gmail.com> wrote:
Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable connected between supplicant's client and hostapd/freeradius. Note, both hostapd and freeradius are running on host - Ubuntu 16.04. Also attached log of freeradius.
<wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication server(freeradius v3.0.15).
Perhaps try 3.0.22, which was just released. I don't think there's any changes related to FAST, but it can't hurt.
By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and default to gnuTLS. I have re-compiled it, to support openssl (1.1.0) and enabled EAP_FAST for testing.
The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2.
Please let me know if EAP-MSCHAPv2 is supported in freeradius with wpa_supplicant communication.
It should be,
Below is partial output where error occurs during inner tunnel authentication:
---------------- 7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: user2 (7) mschap: Client is using MS-CHAPv2
*(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject
That seems pretty clear. The MS-CHAP code is used for *all* MS-CHAP calculations. So we know that it's correct. Maybe there's something odd in the EAP-FAST code. Alan DeKok.
Hi Alan Thanks for your reply. Previously I was compiling 3.0.22 with the gcc 5.4 compiler where I am facing compilation issues. Can you confirm from my attached EAP-FAST-error.log, Is that configuration changes are okay? I am using the user mentioned in file '/etc/freeradius/users' and also password is the same as in wpa_supplicant.conf. -- error: static declaration of ‘ASN1_STRING_get0_data’ follows non-static declaration static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) -- Regards Manjunatha Srinivasan N On Mon, 24 May 2021 at 17:39, Alan DeKok <aland@deployingradius.com> wrote:
On May 24, 2021, at 8:00 AM, manjunatha srinivasan < manjunathan.n@gmail.com> wrote:
Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable connected between supplicant's client and hostapd/freeradius. Note, both hostapd and freeradius are running on host - Ubuntu 16.04. Also attached log of freeradius.
<wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication server(freeradius v3.0.15).
Perhaps try 3.0.22, which was just released. I don't think there's any changes related to FAST, but it can't hurt.
By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and default to gnuTLS. I have re-compiled it, to support openssl (1.1.0) and enabled EAP_FAST for testing.
The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and EAP-TTLS/EAP-MSCHAPv2. But, fails in EAP-FAST/EAP-MSCHAPv2.
Please let me know if EAP-MSCHAPv2 is supported in freeradius with wpa_supplicant communication.
It should be,
Below is partial output where error occurs during inner tunnel authentication:
---------------- 7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password (7) mschap: Creating challenge hash with username: user2 (7) mschap: Client is using MS-CHAPv2
*(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject
That seems pretty clear. The MS-CHAP code is used for *all* MS-CHAP calculations. So we know that it's correct.
Maybe there's something odd in the EAP-FAST code.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
manjunatha srinivasan