It is normal - EAP-TTLS: received 0 bytes encrypted data for Phase 2?

Jouni Malinen jkmaline
Mon Jun 26 20:06:14 PDT 2006

On Mon, Jun 26, 2006 at 07:57:38PM -0700, Andrew wrote:

> I am trying to do TTLS/MSCHAPV2 with FreeRadius server, but see the
> following error on the freeRadius server side - 
>   modcall: entering group MS-CHAP for request 5
>   rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

I don't have any problems with FreeRADIUS. This part of the debug log
shows as follows:

modcall: entering group Auth-Type for request 24
  rlm_mschap: Told to do MS-CHAPv2 for jkm-mschapv2 with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys

> I see this on the wpa_supplicant side - 
> EAP-TTLS: received 0 bytes encrypted data for Phase 2
> EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request
> Identity
> EAP-TTLS: Phase 2 MSCHAPV2 Request
> EAP-TTLS: MSCHAPV2: implicit auth_challenge - hexdump(len=16): e5 e3 aa
> 58 a1 11 50 d4 55 8a a8 8e 71 ba 1f e4
> Is it normal to have 0 bytes encrypted data for phase 2? Any suggestion
> what I should check for? 

Yes, this is the expected behavior. EAP-TTLS does not send
EAP-Request/Identity at this point of the authentication.

> For the user name and password, I configured the identity and password
> in wpa configuration file, and for FreeRadius server, I configure in
> users file, "username" User-Password == "password".

Do you include backslash in the username (e.g., DOMAIN\user)? Is
EAP-TTLS/MSCHAPv2 the only method that does not work or are other
methods (e.g., EAP-TTLS/PAP) showing the same problem?

Which Auth-Type are you using in the FreeRADIUS configuration? I'm using
following type of configuration for this:

user-mschapv2    Auth-Type := MS-CHAP, User-Password == "password"

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list