3.0.11 update broke my PEAP

Stefan Winter stefan.winter at restena.lu
Mon Feb 15 09:06:00 CET 2016


this looks suspiciously like a bug to me. I updated from 3.0.10 to
3.0.11 with a perfectly working and unchanged configuration. In 3.0.11,
all PEAP is broken with a slightly enigmatic error message which
suggests my config may be sub-par; I can't really determine what should
be wrong with it.

Here's -X, the end of authorize and beginning of authenticate inside

(484) sql-commonauth: User found in radcheck table
(484) sql-commonauth: Conditional check items matched, merging
assignment check items
(484) sql-commonauth:   NT-Password := 0xREALLYITISTHEPASSWORDBUTIREDACTEDIT
rlm_sql (sql-commonauth): Released connection (0)
(484)         [sql-commonauth] = ok
(484)       } # redundant = ok
(484)       [mschap] = noop
(484) pap: Normalizing NT-Password from hex encoding, 32 bytes -> 16 bytes
(484) pap: WARNING: Auth-Type already set.  Not setting to PAP
(484)       [pap] = noop
(484)     } # authorize = updated
(484)   Found Auth-Type = eap
(484)   # Executing group from file
(484)     authenticate {
(484) eap: Expiring EAP session with state 0x3a79dfac3a78c68e
(484) eap: Finished EAP session with state 0x4db614dc4dbc0e2d
(484) eap: Previous EAP request found for state 0x4db614dc4dbc0e2d,
released from the list
(484) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(484) eap: Calling submodule eap_mschapv2 to process data
(484) eap_mschapv2: Auth-Type sub-section not found.  Ignoring.
(484) eap_mschapv2: # Executing group from file
(484) eap: Sending EAP Failure (code 4) ID 10 length 4
(484) eap: Freeing handler
(484)       [eap] = reject
(484)     } # authenticate = reject
(484)   Failed to authenticate the user
(484)   Using Post-Auth-Type Reject

So... the inner-tunnel eap comes as far as realising it should call the
eap_mschapv2 sub-module; but that one bails out claiming it can't find
its own config?

Well mods-enabled/eap has a mschapv2 EAP type configuration just fine:

        eap {
                default_eap_type = peap
                peap {
                        tls = tls-common
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                        virtual_server = "inner-tunnel"

                mschapv2 {


So which sub-section would be missing here? Strange.

I've rolled back with the exact same config to 3.0.10 and things started
working again like a charm.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160215/cde38110/attachment.sig>

More information about the Freeradius-Users mailing list