PMK Mismatch when testing EAP TEAP TLS

Fri Feb 14 08:31:04 UTC 2025

Many thanks for your immediate response, Alan!

I recompiled eapol_test from the latest devel version, now it works like a charm. 
eapol_test v2.12-devel-hostap_2_11-655-g90856b195

I have submitted a small pull request aimed at assisting those who use eapol_test for TEAP testing. 
https://github.com/FreeRADIUS/freeradius-server/pull/5518
Please feel free to review and merge it if it proves helpful.

On 2/13/25, 06:54, "Alan DeKok" <aland at deployingradius.com <mailto:aland at deployingradius.com>> wrote:

!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside your organization.
|-------------------------------------------------------------------!

On Feb 12, 2025, at 10:12 PM, Ma, Zhihao via Freeradius-Users <freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>> wrote:
> I met a strange issue saying PMK mismatch when testing EAP TEAP TLS with eapol_test on FreeRADIUS 3.2.7

It's not a strange issue. It's TEAP. We've been working for a few years on updates to RFC7170, which correct a number of fatal flaws in the original RFC.

In short, TEAP may or may not work. It's known to work with Windows. It's known to *not* work with some versions of eapol_test. See below.

Documenting TEAP is ongoing work. I've been working with Cisco, Microsoft, Aruba, and Jouni Malinen behind the scenes to get all of the issues addressed. It's taken an enormous amount of time and effort. TEAP is just too complicated for its own good.

> I was keeping most of the configuration file untouched.
> The only 3 configuration files modified are
> clients - I added another user /password based on my IP
> mschap - I enabled use_mppe_keys (which is required by TEAP MSCHAPv2)
> eap - Uncommented several key options in eap teap section
> 
> Here is the eapol_test conf:

That's not needed. See src/tests/, there are a number of examples of configuration files for eapol_test and TEAP.

> Since there are several TEAP tests added this version are done by eapol_test, I believe it’s probably I didn't config FreeRADIUS correctly.
> Could someone look at it and point out the correct way to do TEAP TLS ?

The file mods-enabled/eap contains sufficient documentation to get TEAP configured. The sample eapol_test files in src/tests show how the client can be configured for various types of authentication.
=
> Here is the log of TEAP TLS from eapol_test:
> 
> root at debian-freeradius:~/wpa_supplicant-2.11# /usr/local/bin/eapol_test -c teap_user.conf -s secret -a 192.168.4.151 -M de:ad:be:ef:42:42 -N 30:s:00:11:22:33:44:55:UConnect -N4:x:c0a80414

Yeah, that won't work. You need the latest from git. I'm using

$ eapol_test -v
eapol_test v2.12-devel-hostap_2_11-521-ga302d16b1

Alan DeKok.