OpenLDAP+FreeRadius Encryption

Greg Mischel Smith gregms at gmail.com
Tue Feb 2 17:06:50 CET 2016


> Comment out mschap in your EAP config to disallow negotiation of mschap,
> they'll try something else...

That's what I would have thought, but when I try that, I get the following:
(6)   eap : Peer sent method Identity (1)
(6)   ERROR: eap : Tried to start unsupported method (26)
(6)   eap : Failed in EAP select
(6)    [eap] = invalid
(6)   } #  authenticate = invalid
(6)  Failed to authenticate the user
(6)  Login incorrect (eap: Tried to start unsupported method (26)):
[testuser<via Auth-Type = EAP>] (from client WLC port 0 via TLS
tunnel)

Happens on Android and Mac. I found that even if I set Android to use
GTC, when I comment out the mschapv2 { } section in the eap config
file, it fails.

Looking at the debug on when it suceeds (without eapchapv2 commented
out), it still uses eapchapv2 which makes me think that's why it
fails.
(6)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(6)    authenticate {
(6)   eap : Peer sent method Identity (1)
(6)   eap : Calling eap_mschapv2 to process EAP data
(6)   eap_mschapv2 : Issuing Challenge
...
(7)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(7)    authenticate {
(7)   eap : Expiring EAP session with state 0xb11fa2d2b117b849
(7)   eap : Finished EAP session with state 0xb11fa2d2b117b849
(7)   eap : Previous EAP request found for state 0xb11fa2d2b117b849,
released from the list
(7)   eap : Peer sent method NAK (3)
(7)   eap : Found mutually acceptable type GTC (6)
(7)   eap : Calling eap_gtc to process EAP data
(7)   eap_gtc : EXPAND Password:
(7)   eap_gtc :    --> Password:
(7)   eap : New EAP session, adding 'State' attribute to reply
0xb11fa2d2b016a449


More information about the Freeradius-Users mailing list