Hi, we are having an issue with authenticating TTLS when the supplicant uses plain MSCHAPv2 instead of EAP-MSCHAPv2
1. Testing with eapoltest and following config in eapol_test: ------------------------------------------------------------- eap=TTLS phase2="auth=MSCHAPV2" produces following request when the request is reinjected into the inner handler: Code: Access-Request Identifier: UNDEF Authentic: <238>g<236>Z<18>2<187>dmM$<242><223><30><209>4 Attributes: User-Name = "xxxxxxxx" MS-CHAP-Challenge = <25><208><7><142>6Q<145>|`<157>P<251><194><203><233><156> MS-CHAP2-Response = ^<0><0><2><0>x<173><6><0> <0><0><0>;<0><0><0>h<0><0><0><0><0><0><0><0><214><233><146>R<152><167><214>xg<181><254><255>BS<175>@<204><29>=<1><225>|N<248> This fails to provide a challenge. Tue Jun 9 09:32:25 2015 986798: DEBUG: Radius::AuthSQL looks for match with XXXXX [XXXXX] Tue Jun 9 09:32:25 2015 987631: DEBUG: Radius::AuthSQL ACCEPT: : XXXXX [XXXXX] And subsequently fails. 2. Testing with eapoltest and following config in eapol_test: ------------------------------------------------------------- eap=TTLS phase2="autheap=MSCHAPV2" produces following request when the request is reinjected into the inner handler: Code: Access-Request Identifier: UNDEF Authentic: <137>'H<220><247><247><152>z<186><145><230><133>i<216>?<227> Attributes: EAP-Message = <2><1><0>B<26><2><1><0>=1<3>A2<127><165><224>7<193><148><163>s<223><251><182><146><231><0><0><0><0><0><0><0><0>C<194><27>vv1<20><29>]h$/<149><17><159><202>I<6><128><204><246>"<186><189><0>radperf Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> User-Name = "anonymous" Here we get a challenge: Tue Jun 9 10:57:58 2015 642003: DEBUG: Radius::AuthSQL ACCEPT: : xxxxxx [anonymous] Tue Jun 9 10:57:58 2015 642696: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Any tips where to start searching. We will try next to see if we can sucessfully authenticate TTLS/PAP in order to rule out any challenge issues. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator