It is normal - EAP-TTLS: received 0 bytes encrypted data for Phase 2?
Mon Jun 26 21:31:12 PDT 2006
Thanks for your prompt response.
I do not have problem with TLS, or TTLS/MD5, but I have problem with
TTLS/MSCHAPV2. I don't know TTLS/PAP, but I may try it later if the
TTLS/MSCHAPV2 does not work out.
I checked your configuration for the username /password on the Radius
server. I had double quote "" over the username, so I remove the quote,
but got the same result. Then I tried adding "Auth-Type := MS-CHAP,",
which I don't have that previously, but with that it fails at even
earlier stage - It did not even start TLS handshake, and failed with
"module "mschap" returns reject for request 0". Do I need to have
"Auth-Type := MS-CHAP," in my users file?
On Mon, 26 Jun 2006 20:06:14 -0700, "Jouni Malinen" <jkmaline at cc.hut.fi>
> On Mon, Jun 26, 2006 at 07:57:38PM -0700, Andrew wrote:
> > I am trying to do TTLS/MSCHAPV2 with FreeRadius server, but see the
> > following error on the freeRadius server side -
> > modcall: entering group MS-CHAP for request 5
> > rlm_mschap: Told to do MS-CHAPv2 for testuser with NT-Password
> > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> I don't have any problems with FreeRADIUS. This part of the debug log
> shows as follows:
> modcall: entering group Auth-Type for request 24
> rlm_mschap: Told to do MS-CHAPv2 for jkm-mschapv2 with NT-Password
> rlm_mschap: adding MS-CHAPv2 MPPE keys
> > I see this on the wpa_supplicant side -
> > EAP-TTLS: received 0 bytes encrypted data for Phase 2
> > EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request
> > Identity
> > EAP-TTLS: Phase 2 MSCHAPV2 Request
> > EAP-TTLS: MSCHAPV2: implicit auth_challenge - hexdump(len=16): e5 e3 aa
> > 58 a1 11 50 d4 55 8a a8 8e 71 ba 1f e4
> > Is it normal to have 0 bytes encrypted data for phase 2? Any suggestion
> > what I should check for?
> Yes, this is the expected behavior. EAP-TTLS does not send
> EAP-Request/Identity at this point of the authentication.
> > For the user name and password, I configured the identity and password
> > in wpa configuration file, and for FreeRadius server, I configure in
> > users file, "username" User-Password == "password".
> Do you include backslash in the username (e.g., DOMAIN\user)? Is
> EAP-TTLS/MSCHAPv2 the only method that does not work or are other
> methods (e.g., EAP-TTLS/PAP) showing the same problem?
> Which Auth-Type are you using in the FreeRADIUS configuration? I'm using
> following type of configuration for this:
>user-mschapv2 Auth-Type := MS-CHAP, User-Password == "password"
> Jouni Malinen PGP id EFC895FA
> HostAP mailing list
> HostAP at shmoo.com
http://www.fastmail.fm - mmm... Fastmail...
More information about the Hostap