eduroam howto help with the wrong password scenario

Stefan Winter stefan.winter at
Fri Apr 20 14:54:38 CEST 2018


> first of all, how I wished the eduroam howto
> ( was online when I first had
> to configure freeradius. Lucky those who can start from it: it used to
> be harder.
> Still, I have a problem. Following the howto with the files setup, I can
> handle the happy path result (user with correct password). Everything works.
> If I modify the ~/eapol_test/peap-mschapv2.conf file with:
> password="iamthewrongpassword"
> the request fails after a while, like the server would give the client a
> second try:

And that's exactly what happens. MSCHAPv2 by default gets back to the
client with "Password was wrong, try again."

Only if the client says, "no thanks, I'm sure this was the one password
I wanted to try" will the conversation be terminated. And only then will
you get the reject logs.

Of course this doesn't make much sense when *testing* with eapol_test -
you've configured it with exactly one password and that's it.

That's why wpa_supplicant allows you to send back the "no thanks".
Quoting the wpa_supplicant.conf:

# phase2: Phase2 (inner authentication with TLS tunnel) parameters
#       (string with field-value pairs, e.g., "auth=MSCHAPV2" for
#       EAP-PEAP or "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS).
#       "mschapv2_retry=0" can be used to disable MSCHAPv2 password
#       retry in authentication failure cases.

The retry option in the protocol probably *is* what you want when the
real client with an actual human sits on the other end.


Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list