eap-fast: using eap-fast-mschapv2 in anonymous tunnel

Alan DeKok aland at deployingradius.com
Sat Sep 23 03:47:44 CEST 2017

On Sep 22, 2017, at 9:05 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> I've been trying to test eap-fast unauthenticated provisioning (RFC
> 5422), and was getting mschap errors, for which I think I found a fix
> - see attached patch (v3.0x).
> With this patch, the mschap authentication stage succeeds using
> eapol_test and a tunnel-pac is provisioned (while the first eapol
> exchange ends with reject as allowed by the RFC, the subsequent
> authentication successes using the newly provisioned pac).

  That looks good, thanks.

> My eapol_test config (my server config is almost untouched):
> network={
>        ssid="eap-fast-test"
>        key_mgmt=WPA-EAP
>        eap=FAST
>        anonymous_identity="FAST-000102030405"
>        identity="bob"
>        password="hello"
>        phase1="fast_provisioning=1"
>        pac_file="/local/file"
> }
> I also tried out the v4.0x branch but encountered some other issues.
> First had to add a cast to float when comparing with tls_max_version
> (inst->tls_conf->tls_max_version > (float) 1.1), as otherwise:
> float x = 1.1; if (x > 1.1) yields true for some reason.

  Floats are notorious for that kind of thing...

> Then however, I get a crash which I can't figure so far - logs with
> back-trace attached.

  That's a straightforward infinite recursion.  I've pushed a fix.

  Alan DeKok.

More information about the Freeradius-Users mailing list