[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-devel
Subject: RE: EAP-FAST phase2 failed
From: Stefan Paetow <Stefan.Paetow () ja ! net>
Date: 2014-08-07 21:25:46
Message-ID: C072996E0B81144DBB9426B44462540C0D6935BF () EXC001
[Download RAW message or body]
The log says this:
EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE
Leads me to believe you either need to configure EAP-FAST to use EAP-GTC or PAP as \
the second phase, or connect FR to SAMBA or Active Directory (which both speak \
MSCHAPv2).
Stefan
________________________________
From: freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org \
[freeradius-devel-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of \
Ammu Argh [ammu3634@gmail.com]
Sent: 07 August 2014 17:16
To: freeradius-devel@lists.freeradius.org
Subject: EAP-FAST phase2 failed
Hi,
I was trying to connect to AP using EAP-FAST authentication.
But Freeradius EAP-FAST failed with below error:
State = 0x97d5bb340dc1cb0c525e6b44738f3553
Message-Authenticator = 0xdce2fb540845c5ee76a5f48b505bb4eb
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "anonymous", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 202
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail \
because of this. ++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group EAP {
[eap2] Request found, released from the list
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=4 respMethod=43 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=107) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
EAP-FAST: Received 101 bytes encrypted data for Phase 2
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=67): [REMOVED]
EAP-FAST: Received Phase 2: TLV type 9 length 63 (mandatory)
EAP-FAST: EAP-Payload TLV - hexdump(len=63): 02 04 00 3f 1a 02 04 00 3a 31 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 67 a5 fd 37 80 a6 \
91 10 ed 46 97 b2 70 75 aa cc 57 27 17 4e dc 0c 6c 00 77 69 66 69
EAP-FAST: Received Phase 2: code=2 identifier=4 length=63
EAP-MSCHAPV2: eap_server Password not configured
EAP-FAST: Phase2 method failed
EAP-FAST: PHASE2_METHOD -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=4)
==> Fail
[eap2] Freeing handler
EAP: Server state machine removed
++[eap2] = reject
+} # group EAP = reject
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> anonymous
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 117 to 10.10.2.2 port 46531
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Other details are as below"
Users file"
wifi Auth-Type := EAP, Cleartext-Password := "welcome123"
eap.conf
eap2 {
fast {
pac_opaque_encr_key = 000102030405060708090a0b0c0d0e0f
eap_fast_a_id = tjsys
eap_fast_a_id_info = my_server
eap_fast_prov = 3
pac_key_lifetime = 604800 # 7 days
pac_key_refresh_tim = 86400
}
tls {
ca_cert = /usr/local/etc/raddb/certs/ca.pem
server_cert = /usr/local/etc/raddb/certs/server.pem
private_key_file = /usr/local/etc/raddb/certs/server.key
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
}
}
Sites-enabled/default:
Added in authenticate block
Auth-Type EAP {
eap2
}
wpa_supplicant.conf
update_config=1
ap_scan=1
fast_reauth=1
network={
ssid="WiFi-11g"
key_mgmt=WPA-EAP
proto=WPA
pairwise=TKIP
group=TKIP
eap=FAST
anonymous_identity="fast"
identity="fast"
password="koro"
phase1="fast_provisioning=3"
pac_file="/data/misc/wifi/eap_fast.pac"
}
FreeRADIUS Version 2.2.5,
OpenSSL 1.0.1e 11
Ubuntu 14.04.1
Please help me to get it work.
Regards
Ammu
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic