WPA_Supplicant Looping when authenticated (EAP_PEAP) & (EAP_TLS) IAS radius

Jouni Malinen jkmaline
Wed Apr 28 06:19:53 PDT 2004


On Wed, Apr 28, 2004 at 06:36:12AM -0400, Normax wrote:

> Authentication occurs fine with IAS with either EAP_TLS or EAP_PEAP(mschapv2). 
> Then the problem starts. WPA_supplicant 0.2.0 with xsupplicant also 
> WPA_supplicant (CVS with EAP_TLS, PEAP and mschapv2 compiled in) resets and 
> the process starts over....and over. Infrequently the process completes and I 
> then have a good working link. XP clients work exceptionally well with my 
> setup and if I use WPA-PSK my SuSE 9 works nice too.

Could you please re-test wpa_supplicant without xsupplicant and send me
the full log from the beginning and including at least couple of loop
iterations? Please also run with verbose logging (-dd). Could you also
record packet trace (e.g., with tcpdump or ethereal) from the wlan0
interface of the client and send this to me?

I have tested EAP-PEAP and EAP-TLS successfully with IAS, although with
Win2k server. However, I have not tested the AP you mentioned.

> IEEE 802.1X: version=1 type=3 length=95
>   EAPOL-Key type=254
> RX message 1 of 4-Way Handshake from 00:e0:98:b7:13:d7 (ver=1)
> PMK - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> PTK - hexdump(len=64): 5a c5 db 2e 62 7c 34 06 f0 c6 37 34 7d 0b 95 c4 cb 8d 
> 9c ad d4 40 fa 85 3d 57 73 c8 c9 87 dd e2 ce 83 c8 ea a8 42 4a c3 b2 f7 28 5e 
> aa b7 cb 20 c3 61 c9 69 9a 4d 9b bd f2 4d c6 f7 5f 44 5c a3
> EAPOL-Key MIC - hexdump(len=16): 26 01 cd b2 2a b3 83 19 18 f8 93 6c 2c bb 0a 
> 69
> Sending EAPOL-Key 2/4
> Receive from dot1x (Xsupplicant) socket ==> 32
> Master key (dot1x) - hexdump(len=32): 71 0d 5d 1b 23 a2 e7 11 92 52 e0 c8 30 
> 96 34 57 74 3f a3 f9 03 b2 8d af be 82 25 36 30 c6 19 be

This is race condition between xsupplicant and wpa_supplicant
(wpa_supplicant did not get the master key in time to process the first
frame and consequently sent an invalid frame back; I'm planning to have
some kind of workaround for this, e.g., by just skipping the 1/4 msg if
PMK is not available; however, this is not top priority now that
wpa_supplicant should work fine without xsupplicant). Please run the
test without xsupplicant to avoid this. 

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list