eduroam howto help with the wrong password scenario

Alan DeKok aland at
Fri Apr 20 14:54:21 CEST 2018

On Apr 20, 2018, at 8:34 AM, Francesco Malvezzi <francesco.malvezzi at> wrote:
> Still, I have a problem. Following the howto with the files setup, I can
> handle the happy path result (user with correct password). Everything works.

  That's good.

> If I modify the ~/eapol_test/peap-mschapv2.conf file with:
> password="iamthewrongpassword"
> the request fails after a while, like the server would give the client a
> second try:
> eapol logs:
> [...]
> EAP-MSCHAPV2: password changing protocol version 3
> EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed,
> error 691)
> EAPOL: EAP parameter needed
> [...]
> and it takes 30 secs to issue the "FAILURE" line.

  Then you edited your configuration and broke something.  The default configuration does *not* do password changes over MSCHAP.  The default configuration does *not* wait 30 seconds to reject a user.

  Edit the "mschap" module configuration, and disable password changes.

> Why am I missing the:
> linelog_send_reject
> from my logs?

  I have no idea.  Is it supposed to be there?  Why?

> If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log
> line (when password is wrong). And the client takes only one sec to tell
> me there is a failure.
> What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch),

  You're not describing what you want to do.  Therefore we have no idea what you're doing wrong, if anything.

  Alan DeKok.

More information about the Freeradius-Users mailing list