eapol_test from wpa_supplicat-2.4 fails with MPPE keys mismatch for TTLS:CHAP/MSCHAP/MSCHAPv2

Stefan Winter stefan.winter at restena.lu
Wed Sep 9 15:20:04 CEST 2015


Hi,

> I executed eapol_test from wpa_supplicat-2.4 (that is using TLS-1.2)
> against freeradius-2.2.8 and the following cases are failing with "

Does 2.2.x support TLS 1.2 anyway? It is really time to move on to 3.0.x
these days...

Greetings,

Stefan Winter

> [ttls] Tunneled challenge is incorrect":
> EAP-TTLS/CHAP
> EAP-TTLS/MSCHAP
> EAP-TTLS/MSCHAPv2
> Interestingly the same tests with eapol_test from wpa_supplicat-2.4
> (that is using TLS-1.0) are fine.
> 
> I would be surprised if I was the first who tried to run these tests.
> Does anybody experienced the same issue? For configuration and test
> results please refer to the attached file.
> 
> radiusd in debug mode write this:
> ...
> [ttls] Authenticate
> [ttls] processing EAP-TLS
> [ttls] eaptls_verify returned 7 
> [ttls] Done initial handshake
> [ttls] eaptls_process returned 7 
> [ttls] Session established.  Proceeding to decode tunneled attributes.
> [ttls] Tunneled challenge is incorrect
> [eap] Handler failed in EAP/ttls
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +group REJECT {
> [eap] Reply already contained an EAP-Message, not inserting EAP-Failure
> ++[eap] = noop
> [attr_filter.access_reject] 	expand: %{User-Name} -> anonymous
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 6 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 6
> Sending Access-Reject of id 6 to 127.0.0.1 port 49816
> 	EAP-Message = 0x04060004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 
> 
> The test configuration files looks like this:
> # cat EAP-TTLS_CHAP.conf
> ctrl_interface=wpa_supplicant.ctrl
> network={
>     ssid="QA test 802.1x network"
>     key_mgmt=IEEE8021X
>     eap=TTLS
>     phase2="auth=CHAP"
>     identity="testuser"
>     anonymous_identity="anonymous"
>     password="testpwd"
>     ca_cert="/etc/raddb/certs/ca.pem"
>     ca_cert2="/etc/raddb/certs/ca.pem"
> }
> 
> The raiusd has the default configuration except:
> /etc/raddb/modules/mschap
> /etc/raddb/modules/pap
> /etc/raddb/eap.conf
> /etc/raddb/users
> and test certificates were created and added.
> For the details please see the attached file.
> 
> The wpa_supplicant was built with the provided "defconfig"
> configuration.
> 
> Regards,
> Patrik Kis
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150909/9ad07277/attachment.sig>


More information about the Freeradius-Users mailing list