Radius EAP-TTLS setup


we are trying to configure radius setup.  First question is there any operator running Radius wih epmp1000?

Second - we trying to do first authentication withouts success. Something wrong with tunnels.  We are using freeradius-2.2.0

Here is Radius log:

Sun Jan  4 16:48:27 2015
        Packet-Type = Access-Request
        User-Name = "test01"
        NAS-Identifier = "BS6c7cd3:000000"
        NAS-Port = 0
        Called-Station-Id = "00-04-56-C4-51-C4:CWME"
        Calling-Station-Id = "00-04-56-C1-CB-95"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11b"
        EAP-Message = 0x02e0000d150015030100020230
        State = 0x2b7ac44f289ad124bb62d008294d7876
        Message-Authenticator = 0xaaf098e5e9ce9088fab2e0c829706f3c
        NAS-IP-Address =

Sun Jan 4 16:48:27 2015
Packet-Type = Access-Reject
EAP-Message = 0x04e00004
Message-Authenticator = 0x00000000000000000000000000000000

In attach there is wireshark trace file.

Hi Roman,

The authentication is failing because you were using certificates which are invalid.

The certificates expired on 7th Nov, 2013.

Please refer to the screenshot attached.

Please use valid certificates and let us know if you have any issues.

Best Regards,


Hello Balaji,

we've changed sertificate. Currently there is:

notAfter: utcTime: 16-01-12 16:07:36 (UTC)

But situation is the same.  In CPE log there is a message

STA cannot be associated on AP... Reason 21.  (CERTIFICATE FALIED)

There are  questions  not covered by documentation.

1. Should we create separate sertificate for SM?

2. Should we upload sertificate for SM?

Hi Roman,

I assume you have generated a new self-signed certificate, for Radius Server.
If that is the case,

1. You don't have to generate a seperate certificate for SM.

2. You have to upload the root CA certificate to the SM.

    It should be the same root CA Certificate you have used to sign the new server certificate.


we upload root sertificate from radius (ca.pem)  file into SM.  It looks like TTLS is processing and and radius sending Access-Accept meassage.  

Now SM has another error.  Reason 49. INVALID SEKURITY KEY

BS shows error: 

Jan 16 11:03:31 BS6c7cd3:020000 hostapd: ath0: STA 00:04:56:c1:cb:95 WPA: INITPMK - keyAvailable = false
Jan 16 11:03:31 BS6c7cd3:020000 kernel: STA[00:04:56:c1:cb:95] aid=1 disassociated. Reason: INVALID SECURITY KEY
Jan 16 11:03:31 BS6c7cd3:020000 hostapd: ath0: STA 00:04:56:c1:cb:95 IEEE 802.11: deauthenticated due to local deauth request

Hi Roman,

Could you send me the config files of both AP and SM and the wireshark trace.

If you prefer, you can e-mail it to me at balaji.grandhi@cambiumnetworks.com.

Best Regards,


Hi Balaji

I sent files to you. We are using Radius with Wimax module to support EAP-TTLS for WIMAX equipment.

Just for the knolege base.

If you are using EAP-TTLS and Freeradius with wimax module compiled there is an configuration option:

 delete_mppe_keys = yes

If you set it to "yes" Radius will remove this keys from the Access-Accept message and put WiMAX-MSK attribute which contains encoded keys.

Some of WiMAX devise requires to set this option to yes. Other devices can operat both way. 

Here is reply with "yes" option

Packet-Type = Access-Accept
        EAP-MSK = 0x3c53e3b6bb79329a4f36577990cb181211738b9aeded8279b05775cdefeb0253b79deedd596839d84afd04020905f5
        EAP-EMSK = 0xcfeb6d7567b1a672f00b5e00bc1f0b3ede22c219a806e91681df823764e38ab9be2d6d3435f528f5c10d9c8ef0b5b
        EAP-Message = 0x03570004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test02"
        WiMAX-MSK = 0x3c53e3b6bb79329a4f36577990cb181211738b9aeded8279b05775cdefeb0253b79deedd596839d84afd04020905

Here is the reply with "no" option, whic is standart behaviour of Radius.

Packet-Type = Access-Accept
        MS-MPPE-Recv-Key = 0xf0d1c1e0be1c23c000cae76bb2643a98ac22e0731f49780b561b62b1d13e8f96
        MS-MPPE-Send-Key = 0xa207a797fd4526321968ed1b0d778702f6d2df40bbd772e73ed9d04240e87a45
        EAP-MSK = 0xf0d1c1e0be1c23c000cae76bb2643a98ac22e0731f49780b561b62b1d13e8f96a207a797fd4526321968ed1b0d7787
        EAP-EMSK = 0xe04ccfff3cb0fae8da986627be212c8e8a8a9393defc1586efe5b8a542694f4fd2293ebc4d2490aa86d8dec6642ff
        EAP-Message = 0x03fd0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test02"

Cambium print debug message INVALID SECURITY KEY if there are no MS-MPPE-* attributes in the message.