wpa_supplicant error when trying to use EAP-PEAP/GTC

Jouni Malinen jkmaline
Mon Oct 11 21:15:17 PDT 2004 

On Mon, Oct 11, 2004 at 09:06:52AM -0400, Andrew Barr wrote:

> I'm trying to authenticate on a university wireless network using
> wpa_supplicant. It has either a Cisco ACS or Meetinghouse AEGIS RADIUS
> server. It uses IEEE 802.1x with dynamic WEP keys. Allowed EAP types are LEAP
> and PEAP-GTC. My wireless card is a D-Link DWL-650P driven by HostAP 0.2.5, 
> but I've had the same errors with my ipw2100 adapter with driver 0.55. 
> wpa_supplicant is version 0.2.4 with the ipw2100 patch.

Please use version 0.2.5 of wpa_supplicant for both cases when trying
EAP-PEAP version 1. Previous versions have number of issues with PEAPv1.

> When I try to authenticate using the command: 'wpa_supplicant -iwlan0
> - -c/etc/wpa_supplicant.conf -Dhostap -d', first the server requests EAP type
> 17 (LEAP), and wpa_supplicant comes back with EAP-Nak:
> 
> EAP: Received EAP-Request method=17 id=151
> EAP: EAP entering state GET_METHOD
> EAP: Building EAP-Nak (requested type 17 not allowed)
> EAP: allowed methods - hexdump(len=1): 19

> Notice the last line. wpa_supplicant says allowed methods are type 19. The
> table at http://www.networksorcery.com/enp/protocol/eap.htm says that this is
> SRP-SHA1 part 1. I don't know what this is or why it's being listed as
> allowed given my config file.

That 19 is part of hexdump, i.e., it is 0x19 = 25 = EAP-PEAP.

> Then, the server requests method 25 and wpa_supplicant starts to connect, but
> there's an SSL error:
> 
> EAP: Received EAP-Request method=25 id=21
> EAP: EAP entering state GET_METHOD
> EAP-PEAP: Force old label for key derivation
> EAP-PEAP: Phase2 type: GTC
> EAP: EAP entering state METHOD
> EAP-PEAP: Received packet(len=6) - Flags 0x21
> EAP-PEAP: Start (server ver=1, own ver=1)
> EAP-PEAP: Using PEAP version 1
> SSL: (where=0x10 ret=0x1)
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:before/connect initialization
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A

This is actually ok, SSL library is just reporting that it does not
have server certificate.

> SSL: SSL_connect - want more data
> SSL: 102 bytes left to be sent out (of total 102 bytes)
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> EAPOL: SUPP_BE entering state RECEIVE
> WPA: EAPOL frame too short, len 46, expecting at least 99
> Authentication with 00:07:85:b3:f6:bd timed out.

wpa_supplicant sent a response to the PEAP start. This message includes
TLS start (client_hello, etc.). However, it looks like a reply (EAP
request) was never received for this at the client.

Unfortunately, I do not have access to Cisco ACS so I cannot test this
myself. I do have Meetinghouse AEGIS server and it is working fine with
wpa_supplicant when using PEAPv1. In addition, I believe someone
reported success with Cisco ACS and EAP-PEAP of EAP-TLS some time ago.

It would be nice to get some log entries / debug log from the RADIUS
server, but if that is not an option, getting this part of the debug log
with full details (-ddd on command line) would be useful (please include
everything from the beginning of the EAP negotiation up to and including
this timeout; just remove your password from the config parsing phase).

It would also be helpful to get a packet capture from this kind of
failed authentication. You can capture packet with, e.g., Ethereal or
tcpdump from wlan0 interface in the client.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list