EAP-TTLS/EAP-MSCHAPv2 doesn't work

Hello,

Has anyone tried to use EAP-TTLS authentication to connect to a wifi network ? It seems the authentication passes but the supplicant just drops the conversation. I tried to gather some debug information and this is what I see in the svchost_RASCHAP.LOG - but that doesn't show any error/issues !



[1344] 02-17 23:06:12:832: EapMSChapv2CMakeMessage: Rcvd packet size: 40
[1344] 02-17 23:06:12:832: ChapMakeMessage,RBuf=062F5FDD
[1344] 02-17 23:06:12:832: ChapCMakeMessage...
[1344] 02-17 23:06:12:832: CS_WaitForChallenge
[1344] 02-17 23:06:12:832: MakeResponseMessage...
[1344] 02-17 23:06:12:832: Generating Challenge
[1344] 02-17 23:06:12:832: GetChallenge.
[1344] 02-17 23:06:12:832: GetChallenge: LsaCallAuthenticationPackage succeeded
[1344] 02-17 23:06:12:832: GetChallenge.
[1344] 02-17 23:06:12:832: GetChallenge: LsaCallAuthenticationPackage succeeded
[1344] 02-17 23:06:12:832: GetChallengeResponse
[1344] 02-17 23:06:12:832: GetDESChallengeResponse
[1344] 02-17 23:06:12:832: GetDESChallengeResponse Success
[1344] 02-17 23:06:12:832: GetMD5ChallengeResponse Success
[1344] 02-17 23:06:12:832: GetMD5ChallengeResponse Success
[1344] 02-17 23:06:12:832: GetChallengeResponse Success
[1344] 02-17 23:06:12:832: GetChallengeResponse=0
02 44 00 3A 31 F5 F3 CC 8C D4 61 A5 C3 CC 62 D1 |.D.:1.....a...b.|
47 68 53 6F 1D 00 00 00 00 00 00 00 00 3B FD 32 |GhSo.........;.2|
C3 B2 4E 23 B7 21 A8 1C F6 84 68 B2 44 7A 20 61 |..N#.!....h.Dz a|
76 3D CC 7F 4A 00 54 65 73 74 00 00 00 00 00 00 |v=.J.Test......|
[1344] 02-17 23:06:12:863: EapMSChapv2End
[1344] 02-17 23:06:12:863: ChapEnd

Any idea on what could be wrong ?

Regards,
Karthik.

Only if you are connecting to a Cisco managed network (ie Domain), would you ever use that feature. https://msdn.microsoft.com/en-us/library/dn643706.aspx https://technet.microsoft.com/en-us/library/cc739638(v=ws.10).aspx Extensible Authentication Protocol - Wikipedia, the free encyclopedia

Thanks for your reply. In my tests the EAP-TTLS works with inner PAP/CHAP authentication. However, when I use EAP-MSCHAPv2 or MSCHAPv2 as inner methods to EAP-TTLS then it fails. However, other supplicants seem to work with the same server. So wondering what is unique about the Windows8 supplicant. Would appreciate any insights into this protocol behavior. Thanks again!

I gave you the links that will tell you the whats and whys. Again, this type of authentication is mainly used in Radius or Domain setups. Cisco created the whole EAP procedure for their networks.

If you took the time to search and read up on it, you would not need others to do your job for you. Suggest you start studying.

Well, I have read and understood the EAP-TTLS protocol as such, as I am working on a TTLS server implementation. I have gotten it work with almost all supplicants that supports it, except Win8, and hence I believe that there is a difference (or a bug) with the way Win8 supplicant behaves, particularly with respect to MSCHAP based inner methods. I really intended to find if someone had faced the issue with any of their TTLS servers, and might give some hints on how to solve it..

Sorry if I was not clear with my question, that led you think I did not do research on this topic, but I had been researching on this for quite a while now, and couldn't find any inputs in this case. I am stuck as this is too specific (not a generic configuration issue) and internal to the implementation of Win8 supplicant probably.

Unfortunately the links you have provided did not help as well.

Do you or anyone know if there is a better alias where I can post this question and possibly hit some developers/people who have code level insights of how the TTLS with Win8 is implemented ?

Microsoft's Technet is going to be your best resource for this.