Alan DeKok aland at deployingradius.com
Thu Apr 1 08:04:49 CEST 2010

Ryan A. Krenzischek wrote:
> Greetings!
> I am at a road block here. I know setting up WPA2 Enterprise
> PEAPv0/EAP-MSCHAPv2 / 802.1X should be simple.  It just isn't working!
> Perhaps I am suffering from green screen syndrome :)
> I have followed directions from:
> http://tldp.org/HOWTO/html_single/8021X-HOWTO/

  Ugh.  That document is almost 6 years old.

> Aside from mschap being in the <etcdir>/raddb/modules directory and
> needing to enable mppe, the instructions are fairly straight forward.

  How about http://freeradius.org/doc/  ?  Or the comments in the "man"
page, and in raddb/eap.conf?

  After 10 years of doing this, I still don't understand why people
ignore the documentation that ships with the server, and instead read
random sites on the net.

> The certificates are generated from our certificate store.  I'm trying a
> less complicated set up before moving on to OpenLDAP/Kerberos.  During
> the build process, I made sure that OpenSSL was available.  LDD shows
> that it is linked:

  ldd output is not useful.  The FAQ and docs don't ask for it.

> The client computers are laptops running OpenSUSE 11.2 x86_64.
> Knetworkmanager is being used to configure the wireless security.  the
> settings are:

  The FAQ and docs don't ask for that, either.

> The "users" file contains:
> billgates User-Password := "98502"

  This is a config for 1.x.  See the FAQ for how to correctly set a
password for a user.  Look for "bob".

> What I get on the test laptop in wpa_supplicant:
> Associated with 00:00:00:c0:ff:ee
> CTRL-EVENT-EAP-STARTED EAP Authentication started
> OpenSSL: tls_connection_ca_cert - Failed to parse ca_cert_blob
> error:0D0680A8:ASN1 encoding routines: ASN1_CHECK_TLEN:wrong tag
> openSSL: pending error: error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> TLS: Failed to set TLS connection parameters
> EAP-PEAP: Failed to initialize SSL.

  Well... the certificate seems to be malformed.

> Debug Output:

  *That* is exactly what we need.

> rad_recv: Access-Request packet from host port 1812, id=157,
> length=101
>     EAP-Message = 0x027800060300

  The supplicant is doing EAP.

> [eap] EAP NAK
> [eap] NAK asked for bad type 0
> [eap] Failed in EAP select
> ++[eap] returns invalid

  That seems clear enough.  The supplicant doesn't like the EAP type
proposed by the server, and is asking for another method.  But it's
asking incorrectly.

  See my page for how to configure EAP.  It includes step by step
directions, and it *works*:


  I suspect that the problem is with the certificates.  DON'T start with
 certs that may or may not work with RADIUS.  DO start with the "test"
certs generated when the server first starts.

  Alan DeKok.

More information about the Freeradius-Users mailing list