Alan DeKok aland at
Mon May 24 14:09:11 CEST 2021

On May 24, 2021, at 8:00 AM, manjunatha srinivasan <manjunathan.n at> wrote:
> Below is my-setup of testing EAP-FAST/EAP-MSCHAPv2 with cross-over cable
> connected between  supplicant's client and hostapd/freeradius. Note,  both
> hostapd and freeradius are running on host - Ubuntu 16.04. Also attached
> log of freeradius.
> <wpa_supplicant(v2.9)<--->Authenticator(hostapd)<----->Authentication
> server(freeradius v3.0.15).

  Perhaps try 3.0.22, which was just released.  I don't think there's any changes related to FAST, but it can't hurt.

> By the way, wpa_suppliant is not enabled for CONFIG_EAP_FAST support and
> default to gnuTLS.  I have re-compiled it, to support openssl (1.1.0) and
> enabled EAP_FAST for testing.
> The question is: I am successfully testing EAP-PEAP/EAP-MSCHAPv2 and
> Please let me know if EAP-MSCHAPv2 is supported in freeradius with
> wpa_supplicant communication.

  It should be,

> Below is partial output where error occurs during inner tunnel
> authentication:
> ----------------
> 7) mschap: Found Cleartext-Password, hashing to create NT-Password
> (7) mschap: Found Cleartext-Password, hashing to create LM-Password
> (7) mschap: Creating challenge hash with username: user2
> (7) mschap: Client is using MS-CHAPv2
> *(7) mschap: ERROR: MS-CHAP2-Response is incorrect*(7) [mschap] = reject

  That seems pretty clear.  The MS-CHAP code is used for *all* MS-CHAP calculations.  So we know that it's correct.

  Maybe there's something odd in the EAP-FAST code.

  Alan DeKok.

More information about the Freeradius-Users mailing list