Freeradius 3.0.12 - Cisco EAP-Fast Supported?

[Kevin Morrison]

Alan,

We've tested the password, as well, with LEAP authentication and it works.  Is there something else we can check? Or something else we can configure?

What puzzles me about this whole thing is that PEAP works with an eapol_test, but then also fails with EAP-FAST.  Using eapol_test should eliminate any issues with it being a CISCO EAP FAST implementation, right?





Kevin Morrison
Systems Administrator
T: +1 (704) 378-9235
C: +1 (980) 255-9668
kmorrison at vectorusa.com

VectorUSA
2520 Whitehall Park Drive, Suite 300
Charlotte,  NC 28273

Customer Service: +1 (877) 569-8800



-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+kmorrison=vectorusa.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Thursday, December 15, 2016 6:41 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeradius 3.0.12 - Cisco EAP-Fast Supported?

On Dec 15, 2016, at 4:54 PM, Kevin Morrison <kmorrison at vectorusa.com> wrote:
> I worked with my network engineer today and we were able to confirm that PEAP works to authenticate, but when changed over to EAP-FAST, it fails as before.

  That's an issue then.

> I have a debug log of PEAP working and then EAP-FAST failing, however, it is pretty dang large at over 4k lines in Notepad++.  I am attaching the text file, with some information changed to protect internal names, MAC addresses, etc.
>
> I am extremely grateful for whatever help you can render me.

  EAP-FAST is more than a bit magical.  We've tested it with a bunch of equipment.  But if it fails in the MS-CHAP calculation.. then something bad is going wrong.

  FreeRADIUS has been doing MS-CHAP for almost 20 years.  If that calculation fails, then either the other end is buggy, or the password really is incorrect.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html