AW: EAP

Jouni Malinen jkmaline
Sat Jul 24 08:11:16 PDT 2004


On Sat, Jul 24, 2004 at 10:28:47AM +0200, Karl Rothenh?fer wrote:

> thank you for your very quick response. It triggered some more extensive
> investigations of myself. That is why I took me a bit more time to respond.
> The result of my investigations (right or wrong?)currently is:
> - Radius receives the users request and sends an MD5 challenge.
> - User receives an MD5 challenge and sends a Nak
> - Nak does not seem to arrive at Radius (discarded in hostapd?)
> - Radius receives next request from user or is it the Nak?
> This sequence runs in an infinite loop.

I would need to get the debug log from hostapd and preferable also
sniffer logs from either air between client and AP or from wire between
AP and RADIUS server.

hostapd does not process EAP packet contents, so the Nak frame should be
sent to the RADIUS server. However, if the Supplicant is using incorrect
identification number in that frame, it will be dropped. hostapd debug
log should show this.

> With my current knowledge it looks as if windows xp (the user's OS) has no
> longer been able to process MD5 since SP1 (neither initiate authentication
> requests nor handle challenges), and my PC uses SP1. This may explain the
> Nak and hence the failure of the authentication. The help of anybody
> experienced in this area would be appreciated.

Yes, Microsoft removed EAP-MD5 in SP1 because this EAP method is
completely unsecure and should never be used without an encrypted tunnel
(like EAP-PEAP or EAP-TTLS)..

Anyway, the EAP-Nak frame is supposed to list Supplicant's EAP methods
and RADIUS server can then select one of them and continue
authentication.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list