EAP-FAST phase2 failed
Ammu Argh
ammu3634 at gmail.com
Thu Aug 7 18:16:18 CEST 2014
Hi,
I was trying to connect to AP using EAP-FAST authentication.
But Freeradius EAP-FAST failed with below error:
State = 0x97d5bb340dc1cb0c525e6b44738f3553
Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 202
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group EAP {
[eap2] Request found, released from the list
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=107) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
EAP-FAST: Received 101 bytes encrypted data for Phase 2
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28
67 a5 fd 37 80 a6 91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77
69 66 69
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63
EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=4)
==> Fail
[eap2] Freeing handler
EAP: Server state machine removed
++[eap2] = reject
+} # group EAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 117 to 10.10.2.2 port 46531
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Other details are as below"
Users file"
wifi Auth-Type := EAP, Cleartext-Password := "welcome123"
eap.conf
eap2 {
fast {
pac_opaque_encr_key =
000102030405060708090a0b0c0d0e0f
eap_fast_a_id = tjsys
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
tls {
ca_cert = /usr/local/etc/raddb/certs/ca.pem
server_cert = /usr/local/etc/raddb/certs/server.pem
private_key_file =
/usr/local/etc/raddb/certs/server.key
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
}
}
Sites-enabled/default:
Added in authenticate block
Auth-Type EAP {
eap2
}
wpa_supplicant.conf
update_config=1
ap_scan=1
fast_reauth=1
network={
ssid="WiFi-11g"
key_mgmt=WPA-EAP
proto=WPA
pairwise=TKIP
group=TKIP
eap=FAST
anonymous_identity="fast"
identity="fast"
password="koro"
phase1="fast_provisioning=3"
pac_file="/data/misc/wifi/eap_fast.pac"
}
FreeRADIUS Version 2.2.5,
OpenSSL 1.0.1e 11
Ubuntu 14.04.1
Please help me to get it work.
Regards
Ammu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140807/1c668e80/attachment-0001.html>
More information about the Freeradius-Devel
mailing list