It is normal - EAP-TTLS: received 0 bytes encrypted data for Phase 2?

Andrew ifreebiz at fastmail.fm
Tue Jun 27 00:31:12 EDT 2006


Jouni,

Thanks for your prompt response.

I do not have problem with TLS, or TTLS/MD5, but I have problem with
TTLS/MSCHAPV2. I don't know TTLS/PAP, but I may try it later if the
TTLS/MSCHAPV2 does not work out.
I checked your configuration for the username /password on the Radius
server. I had double quote "" over the username, so I remove the quote,
but got the same result. Then I tried adding "Auth-Type := MS-CHAP,",
which I don't have that previously, but with that it fails at even
earlier stage - It did not even start TLS handshake, and failed with
"module "mschap" returns reject for request 0". Do I need to have
"Auth-Type := MS-CHAP," in my users file?

Thanks, Andrew


On Mon, 26 Jun 2006 20:06:14 -0700, "Jouni Malinen" <jkmaline at cc.hut.fi>
said:
> On Mon, Jun 26, 2006 at 07:57:38PM -0700, Andrew wrote:
> 
> > I am trying to do TTLS/MSCHAPV2 with FreeRadius server, but see the
> > following error on the freeRadius server side - 
> >   modcall: entering group MS-CHAP for request 5
> >   rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
> >   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> 
> I don't have any problems with FreeRADIUS. This part of the debug log
> shows as follows:
> 
> modcall: entering group Auth-Type for request 24
>   rlm_mschap: Told to do MS-CHAPv2 for jkm-mschapv2 with NT-Password
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> 
> 
> > I see this on the wpa_supplicant side - 
> > 
> > EAP-TTLS: received 0 bytes encrypted data for Phase 2
> > EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request
> > Identity
> > EAP-TTLS: Phase 2 MSCHAPV2 Request
> > EAP-TTLS: MSCHAPV2: implicit auth_challenge - hexdump(len=16): e5 e3 aa
> > 58 a1 11 50 d4 55 8a a8 8e 71 ba 1f e4
> > 
> > Is it normal to have 0 bytes encrypted data for phase 2? Any suggestion
> > what I should check for? 
> 
> Yes, this is the expected behavior. EAP-TTLS does not send
> EAP-Request/Identity at this point of the authentication.
> 
> > For the user name and password, I configured the identity and password
> > in wpa configuration file, and for FreeRadius server, I configure in
> > users file, "username" User-Password == "password".
> 
> Do you include backslash in the username (e.g., DOMAIN\user)? Is
> EAP-TTLS/MSCHAPv2 the only method that does not work or are other
> methods (e.g., EAP-TTLS/PAP) showing the same problem?
> 
> Which Auth-Type are you using in the FreeRADIUS configuration? I'm using
> following type of configuration for this:
> 
>user-mschapv2    Auth-Type := MS-CHAP, User-Password == "password"
> 
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap

-- 
http://www.fastmail.fm - mmm... Fastmail...




More information about the HostAP mailing list