eapol_test from wpa_supplicat-2.4 fails with MPPE keys mismatch for TTLS:CHAP/MSCHAP/MSCHAPv2

Patrik Kis pkis at redhat.com
Wed Sep 9 12:15:24 CEST 2015


Hello,

I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2)
against freeradius-2.2.8 and the following cases are failing with "
[ttls] Tunneled challenge is incorrect":
EAP-TTLS/CHAP
EAP-TTLS/MSCHAP
EAP-TTLS/MSCHAPv2
Interestingly the same tests with eapol_test from wpa_supplicat-2.4
(that is using TLS-1.0) are fine.

I would be surprised if I was the first who tried to run these tests.
Does anybody experienced the same issue? For configuration and test
results please refer to the attached file.

radiusd in debug mode write this:
...
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Tunneled challenge is incorrect
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[eap] Reply already contained an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject] 	expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 6 to 127.0.0.1 port 49816
	EAP-Message = 0x04060004
	Message-Authenticator = 0x00000000000000000000000000000000


The test configuration files looks like this:
# cat EAP-TTLS_CHAP.conf
ctrl_interface=wpa_supplicant.ctrl
network={
    ssid="QA test 802.1x network"
    key_mgmt=IEEE8021X
    eap=TTLS
    phase2="auth=CHAP"
    identity="testuser"
    anonymous_identity="anonymous"
    password="testpwd"
    ca_cert="/etc/raddb/certs/ca.pem"
    ca_cert2="/etc/raddb/certs/ca.pem"
}

The raiusd has the default configuration except:
/etc/raddb/modules/mschap
/etc/raddb/modules/pap
/etc/raddb/eap.conf
/etc/raddb/users
and test certificates were created and added.
For the details please see the attached file.

The wpa_supplicant was built with the provided "defconfig"
configuration.

Regards,
Patrik Kis


More information about the Freeradius-Users mailing list