Re: radiusd_eap2mschap issue

Tue, 12 Aug 2025 02:43:20 -0700 

    Hi Masahiko,

Thanks for your quick answer.
What kind of scenarios/equipment's are using EAP-MSCHAPv2 without EAP-PEAP?

Best.

Olivier Cherrier
Phone: +352691570680
mailto:o...@symacx.com

On 8/12/25 10:46 AM, YASUOKA Masahiko wrote:

Hi,

On Tue, 12 Aug 2025 10:15:30 +0200
Olivier Cherrier <o...@symacx.com> wrote:

I'm trying to get radiusd(8) running as a back-end to authenticate
users on some Wireless APs using EAP-PEAP.

Ideally, the user database would be handled by the 'file' module.
While authenticating with MSCHAPv2 from Android,
I get (radiusd_eap2mschap compiled with EAP2MSCHAP_DEBUG):

2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
192.168.1.74:60221 id=72 username=oc q=1: `eap2mschap' authentication
is starting
2025-08-12 01:17:16:DEBUG: q=1 Received EAP code=2 type=1
2025-08-12 01:17:16:DEBUG: access_request_new(0x44a97119b80)
2025-08-12 01:17:16:INFO: q=1 EAP
state=df731b3b8fb7c2fc8be5738e41b46502 EAP-Identity oc
2025-08-12 01:17:16:INFO: Sending Access-Challenge(code=11) to
192.168.1.74:60221 id=72 q=1
2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
192.168.1.74:60221 id=73 username=oc q=2: `eap2mschap' authentication
is starting
2025-08-12 01:17:16:DEBUG: q=2 Received EAP code=2 type=3
2025-08-12 01:17:16:INFO: q=2 EAP
state=df731b3b8fb7c2fc8be5738e41b46502 NAK received
2025-08-12 01:17:16:INFO: Sending Access-Reject(code=3) to
192.168.1.74:60221 id=73 q=2


Here is the radiusd(8) config:

$ doas egrep -v '^$|#' /etc/radiusd.conf
listen on 192.168.1.12
listen on 192.168.1.12 accounting
client 127.0.0.1/32 {
         secret "secret"
         msgauth-required no
}
client 192.168.1.74/32 {
         secret "secret4Wifi"
}
module file {
         set path "/etc/radiusd.users"
}
module eap2mschap {
         set chap-name "radius"
}
authentication-filter * by eap2mschap
authenticate    *               by file
$
$ doas egrep -v '^$|#' /etc/radiusd.users
oc:\
         :password=oc:
$


Is there something broken in this config?
Is it supposed to work like this?

radiusd_eap2mschap is to provide conversion from EAP-MSCHAPv2 to
MSCHAPv2.  EAP-PEAP is not supported.


Is there eventually a possibility to send some
radius attributes like 'Tunnel-Private-Group-ID' ?

That attribute is not supported .  We need to write a module for the
attribute.

Reply via email to