eapol_test
BuzzSaw Code
buzzsaw.code at gmail.com
Mon Feb 24 18:36:20 UTC 2025
And the answer yet again is FIPS.
- I spun up a new RHEL8 image from the RedHat AMI in AWS
- Installed the FreeRADIUS 3.2.7 RPMs and the distro version of the
wpa_supplicant
- Tested, worked as expected with the default configuration
- Run /bin/fips-mode-setup --enable and reboot when ready
- Test again, I get the "invalid Message-Authenticator" nonsense when
testing with the exact same configuration.
Again, I think the problem is in wpa_authenticator/eapol_test since
I've got EAP-TLS working with FIPs mode and RHEL8 elsewhere, but
thought I'd reply as informational to the list.
On Fri, Feb 21, 2025 at 2:30 PM BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
>
> I'd agree but the same shared secret works for radclient - they are
> both using testing123 with the default localhost client setup.
>
> On Fri, Feb 21, 2025 at 2:24 PM Alan DeKok <aland at deployingradius.com> wrote:
> >
> > On Feb 21, 2025, at 12:33 PM, BuzzSaw Code <buzzsaw.code at gmail.com> wrote:
> > >
> > > I must be cursed - test install with the default site on a RHEL8 host,
> > > FreeRADIUS 3.2.7 built from source, running eapol_test locally on the
> > > server:
> > >
> > > (0) Received Access-Request Id 0 from 127.0.0.1:58220 to
> > > 127.0.0.1:1812 length 134
> > > Dropping packet without response because of error: Received packet
> > > from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is
> > > incorrect.) (from client localhost)
> >
> > Then the shared secret is wrong. eapol_test works for me in my testing. And the FreeRADIUS build system runs it multiple ties a day.
> >
> > Alan DeKok.
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list