Hello,
I'm trying to get radiusd(8) running as a back-end to authenticate
users on some Wireless APs using EAP-PEAP.
Ideally, the user database would be handled by the 'file' module.
While authenticating with MSCHAPv2 from Android,
I get (radiusd_eap2mschap compiled with EAP2MSCHAP_DEBUG):
2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
192.168.1.74:60221 id=72 username=oc q=1: `eap2mschap' authentication is
starting
2025-08-12 01:17:16:DEBUG: q=1 Received EAP code=2 type=1
2025-08-12 01:17:16:DEBUG: access_request_new(0x44a97119b80)
2025-08-12 01:17:16:INFO: q=1 EAP state=df731b3b8fb7c2fc8be5738e41b46502
EAP-Identity oc
2025-08-12 01:17:16:INFO: Sending Access-Challenge(code=11) to
192.168.1.74:60221 id=72 q=1
2025-08-12 01:17:16:INFO: Received Access-Request(code=1) from
192.168.1.74:60221 id=73 username=oc q=2: `eap2mschap' authentication is
starting
2025-08-12 01:17:16:DEBUG: q=2 Received EAP code=2 type=3
2025-08-12 01:17:16:INFO: q=2 EAP state=df731b3b8fb7c2fc8be5738e41b46502
NAK received
2025-08-12 01:17:16:INFO: Sending Access-Reject(code=3) to
192.168.1.74:60221 id=73 q=2
Here is the radiusd(8) config:
$ doas egrep -v '^$|#' /etc/radiusd.conf
listen on 192.168.1.12
listen on 192.168.1.12 accounting
client 127.0.0.1/32 {
secret "secret"
msgauth-required no
}
client 192.168.1.74/32 {
secret "secret4Wifi"
}
module file {
set path "/etc/radiusd.users"
}
module eap2mschap {
set chap-name "radius"
}
authentication-filter * by eap2mschap
authenticate * by file
$
$ doas egrep -v '^$|#' /etc/radiusd.users
oc:\
:password=oc:
$
Is there something broken in this config?
Is it supposed to work like this?
Is there eventually a possibility to send some
radius attributes like 'Tunnel-Private-Group-ID' ?
Thanks you,
Best.
--
Olivier Cherrier
Phone: +352691570680
mailto:[email protected]
