PMK Mismatch when testing EAP TEAP TLS

Alan DeKok aland at deployingradius.com
Thu Feb 13 11:53:43 UTC 2025 

On Feb 12, 2025, at 10:12 PM, Ma, Zhihao via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I met a strange issue saying PMK mismatch when testing EAP TEAP TLS with eapol_test on FreeRADIUS 3.2.7

  It's not a strange issue.  It's TEAP.  We've been working for a few years on updates to RFC7170, which correct a number of fatal flaws in the original RFC.

  In short, TEAP may or may not work.  It's known to work with Windows.  It's known to *not* work with some versions of eapol_test.  See below.

  Documenting TEAP is ongoing work.  I've been working with Cisco, Microsoft, Aruba, and Jouni Malinen behind the scenes to get all of the issues addressed.  It's taken an enormous amount of time and effort.  TEAP is just too complicated for its own good.

> I was keeping most of the configuration file untouched.
> The only 3 configuration files modified are
> clients - I added another user /password based on my IP
> mschap - I enabled use_mppe_keys (which is required by TEAP MSCHAPv2)
> eap - Uncommented several key options in eap teap section
> 
> Here is the eapol_test conf:

  That's not needed.  See src/tests/, there are a number of examples of configuration files for eapol_test and TEAP.

> Since there are several TEAP tests added this version are done by eapol_test, I believe it’s probably I didn't config FreeRADIUS correctly.
> Could someone look at it and point out the correct way to do TEAP TLS ?

  The file mods-enabled/eap contains sufficient documentation to get TEAP configured.  The sample eapol_test files in src/tests show how the client can be configured for various types of authentication.
=
> Here is the log of TEAP TLS from eapol_test:
> 
> root at debian-freeradius:~/wpa_supplicant-2.11# /usr/local/bin/eapol_test -c teap_user.conf -s secret -a 192.168.4.151 -M de:ad:be:ef:42:42 -N 30:s:00:11:22:33:44:55:UConnect -N4:x:c0a80414

  Yeah, that won't work.  You need the latest from git.  I'm using

$ eapol_test -v
eapol_test v2.12-devel-hostap_2_11-521-ga302d16b1

  Alan DeKok.

More information about the Freeradius-Users mailing list