FreeRADIUS 3.2.8 with EAP-FAST: MS-CHAP2-Response is incorrect
Dennis Bland
dennis at dbperformance.com
Fri Jan 9 05:32:50 UTC 2026
On Thu, Jan 8, 2026 at 4:19 PM Alan DeKok via Freeradius-Users
<freeradius-users at lists.freeradius.org> wrote:
>
> On Jan 5, 2026, at 6:10 AM, Alan DeKok <alan.dekok at inkbridge.io> wrote:
> > Hmm... OK. I just tried it, I'm seeing the same thing. I'm not sure what changed.
>
> After a quick look, it seems to be an OpenSSL issue.
>
> For some reason, the SHA256 code in OpenSSL isn't doing its job. Tracking that down will be more work.
>
> You might be able to fix it by updating the cipher_list to include SECLEVEL=1? That might re-enable SHA256.
>
> Alan DeKok.
>
Thanks Alan, I will try changing SECLEVEL=0 to SECLEVEL=1 and let you
know my results.
I agree that it appears to be an OpenSSL issue. EAP-FAST on
FreeRADIUS 3.2.8 does appear to work with Ubuntu 18.04 (OpenSSL
1.1.1), but does not work with Ubuntu 24.04 (OpenSSL 3.0.13 or
3.0.16). Of course, it's risky and impractical to downgrade OpenSSL
on Ubuntu 24.04 due to the large number of application and toolchain
dependencies.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list