Re: radiusd_eap2mschap issue

Tue, 12 Aug 2025 01:47:22 -0700 

Hi,

On Tue, 12 Aug 2025 10:15:30 +0200
Olivier Cherrier <o...@symacx.com> wrote:
> I'm trying to get radiusd(8) running as a back-end to authenticate
> users on some Wireless APs using EAP-PEAP.
> 
> Ideally, the user database would be handled by the 'file' module.
> While authenticating with MSCHAPv2 from Android,
> I get (radiusd_eap2mschap compiled with EAP2MSCHAP_DEBUG):
> 
> 2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
> 192.168.1.74:60221 id=72 username=oc q=1: `eap2mschap' authentication
> is starting
> 2025-08-12 01:17:16:DEBUG: q=1 Received EAP code=2 type=1
> 2025-08-12 01:17:16:DEBUG: access_request_new(0x44a97119b80)
> 2025-08-12 01:17:16:INFO: q=1 EAP
> state=df731b3b8fb7c2fc8be5738e41b46502 EAP-Identity oc
> 2025-08-12 01:17:16:INFO: Sending Access-Challenge(code=11) to
> 192.168.1.74:60221 id=72 q=1
> 2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
> 192.168.1.74:60221 id=73 username=oc q=2: `eap2mschap' authentication
> is starting
> 2025-08-12 01:17:16:DEBUG: q=2 Received EAP code=2 type=3
> 2025-08-12 01:17:16:INFO: q=2 EAP
> state=df731b3b8fb7c2fc8be5738e41b46502 NAK received
> 2025-08-12 01:17:16:INFO: Sending Access-Reject(code=3) to
> 192.168.1.74:60221 id=73 q=2
> 
> 
> Here is the radiusd(8) config:
> 
> $ doas egrep -v '^$|#' /etc/radiusd.conf
> listen on 192.168.1.12
> listen on 192.168.1.12 accounting
> client 127.0.0.1/32 {
>         secret "secret"
>         msgauth-required no
> }
> client 192.168.1.74/32 {
>         secret "secret4Wifi"
> }
> module file {
>         set path "/etc/radiusd.users"
> }
> module eap2mschap {
>         set chap-name "radius"
> }
> authentication-filter * by eap2mschap
> authenticate    *               by file
> $
> $ doas egrep -v '^$|#' /etc/radiusd.users
> oc:\
>         :password=oc:
> $
> 
> 
> Is there something broken in this config?
> Is it supposed to work like this?

radiusd_eap2mschap is to provide conversion from EAP-MSCHAPv2 to
MSCHAPv2.  EAP-PEAP is not supported.

> Is there eventually a possibility to send some
> radius attributes like 'Tunnel-Private-Group-ID' ?

That attribute is not supported .  We need to write a module for the
attribute.

Reply via email to