FreeRADIUS 3.2.8 with EAP-FAST: MS-CHAP2-Response is incorrect

Alan DeKok alan.dekok at inkbridge.io
Mon Jan 5 11:10:46 UTC 2026 

On Jan 4, 2026, at 11:16 PM, Dennis Bland <dennis at dbperformance.com> wrote:
> I've compiled/installed FreeRADIUS 3.2.8 on Ubuntu 24.04 (Linux 6.8.0
> and OpenSSL 3.0.13), and it gives the attached "MS-CHAP2 Response is
> incorrect" error during inner tunnel negotiation in Phase 0 (PAC file
> creation) of EAP-FAST.  Upgrading the Linux kernel to 6.16 and OpenSSL
> 3.0.16 gives the same result.  Compiling the latest FreeRADIUS 3.2.x
> branch head (3.2.9 dev) as of a few days ago also gives the same
> result.

  Hmm... OK.  I just tried it, I'm seeing the same thing.  I'm not sure what changed.

> Note that EAP-PEAP/MSCHAPV2 works fine (log also attached) on the
> identical supplicant / authenticator / authentication server platform.

  Unfortunately, PEAP is infinitely simpler than EAP-FAST.

> The supplicant is also on a Ubuntu 24.04 platform (OpenSSL 3.0.13),
> running the latest snapshot of wpa_supplicant, and TLS 1.3 has been
> confirmed working with EAP-PEAP when tls_max is set to 1.3 in
> FreeRADIUS on the authentication server.

  Yes.  PEAP has been updated for TLS 1.3:  https://www.rfc-editor.org/rfc/rfc9427.html

  EAP-FAST was also updated for TLS 1.3, but 3.2.x doesn't support that yet.  In part because the major supplicants don't support it.

> Background:  Recent Ubuntu versions have forcibly disabled TLS 1.0 and
> TLS 1.1, and EAP-FAST support with TLS 1.2 was first introduced in
> FreeRADIUS 3.2.8.  However, the FreeRADIUS package version bundled
> with Ubuntu 24.04 is version 3.2.5, and version 3.2.7 with Ubuntu
> 25.10.  This unfortunately leaves a gap in EAP-FAST support.  Until a
> newer FreeRADIUS package is available on Ubuntu, compiling the 3.2.8
> source seems to be the only option in order to support BOTH TLS 1.3
> with EAP-PEAP and TLS 1.2 with EAP-FAST.
 
  It's apparently hard for Ubuntu to use a version of FreeRADIUS which was released in the last few years.  <sigh>

  If you want updated packages, you can get update packages from: https://packages.inkbridgenetworks.com/.  They're free, and up to date.

> Any further troubleshooting suggestions?  From reading the mailing
> list archives, I've seen this EAP-FAST issue pop up a few times in the
> past on earlier 3.0.x versions, but with no resolution.

  Try the updated packages as above.  But until I have time for some more in-depth testing, I'm not sure what's going on.  A quick check shows the same issue, even when TLS 1.1 is used.

  If you have a little bit of time to spare, perhaps try the EAP-FAST tests using various versions of the server.  I know it worked at one point, so I don't know why or when it stopped working.

  Alan DeKok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20260105/205ff220/attachment.sig>

More information about the Freeradius-Users mailing list