eapol_test giving up and win-like error?

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 20 11:55:35 CET 2012

On 01/20/2012 10:30 AM, NdK wrote:
> Il 19/01/2012 13:01, Phil Mayers ha scritto:
>> I'm not sure what the problem is then. From your original post, the
>> authentication is failing at the *client*, in the inner EAP section.
>> This normally means the final MSCHAP response is invalid, which only
>> happens if some crypto has gone wrong somewhere.
> But then it should fail immediately, not after a timeout!

Not so.

> And an immediate failure is the result when I *disable*
> 'with_ntdomain_hack=yes' line in mschap.

That's a different failure mode.

EAP/MS-CHAP works as follows:

server: send random challenge bytes to client
client: send response=crypto(password,challenge) to server
server: send crypto(response,password) to client

If validation of the 2nd item fails, you'll see an immediate failure at 
the FreeRADIUS end, because FreeRADIUS is doing the validation.

If validation of the 3rd item fails, the client just stops - it gives 
up, and sends no further packets, because it thinks the server is fake / 

That's why there's a timeout at the FreeRADIUS end.

> That's exactly what I've done till now. The failures start when I enable
> the auth I need. The problem w/ CP is just an "issue scheduled for later
> examination" -- nothing configured yet to fix it.
> That's my 'hg diff' output (w/o the certs part) from the base config
> (from the tutorial):

If that's really all you've changed, there must be something wrong with 
Samba; it's getting the final crypto blob wrong, and the client is 
dropping the packets. You'll need to investigate and fix this.

More information about the Freeradius-Users mailing list