wpa_supplicant error when trying to use EAP-PEAP/GTC

Jouni Malinen jkmaline
Mon Oct 11 21:15:17 PDT 2004

On Mon, Oct 11, 2004 at 09:06:52AM -0400, Andrew Barr wrote:

> I'm trying to authenticate on a university wireless network using
> wpa_supplicant. It has either a Cisco ACS or Meetinghouse AEGIS RADIUS
> server. It uses IEEE 802.1x with dynamic WEP keys. Allowed EAP types are LEAP
> and PEAP-GTC. My wireless card is a D-Link DWL-650P driven by HostAP 0.2.5, 
> but I've had the same errors with my ipw2100 adapter with driver 0.55. 
> wpa_supplicant is version 0.2.4 with the ipw2100 patch.

Please use version 0.2.5 of wpa_supplicant for both cases when trying
EAP-PEAP version 1. Previous versions have number of issues with PEAPv1.

> When I try to authenticate using the command: 'wpa_supplicant -iwlan0
> - -c/etc/wpa_supplicant.conf -Dhostap -d', first the server requests EAP type
> 17 (LEAP), and wpa_supplicant comes back with EAP-Nak:
> EAP: Received EAP-Request method=17 id=151
> EAP: EAP entering state GET_METHOD
> EAP: Building EAP-Nak (requested type 17 not allowed)
> EAP: allowed methods - hexdump(len=1): 19

> Notice the last line. wpa_supplicant says allowed methods are type 19. The
> table at http://www.networksorcery.com/enp/protocol/eap.htm says that this is
> SRP-SHA1 part 1. I don't know what this is or why it's being listed as
> allowed given my config file.

That 19 is part of hexdump, i.e., it is 0x19 = 25 = EAP-PEAP.

> Then, the server requests method 25 and wpa_supplicant starts to connect, but
> there's an SSL error:
> EAP: Received EAP-Request method=25 id=21
> EAP: EAP entering state GET_METHOD
> EAP-PEAP: Force old label for key derivation
> EAP-PEAP: Phase2 type: GTC
> EAP: EAP entering state METHOD
> EAP-PEAP: Received packet(len=6) - Flags 0x21
> EAP-PEAP: Start (server ver=1, own ver=1)
> EAP-PEAP: Using PEAP version 1
> SSL: (where=0x10 ret=0x1)
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:before/connect initialization
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A

This is actually ok, SSL library is just reporting that it does not
have server certificate.

> SSL: SSL_connect - want more data
> SSL: 102 bytes left to be sent out (of total 102 bytes)
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> EAPOL: SUPP_BE entering state RECEIVE
> WPA: EAPOL frame too short, len 46, expecting at least 99
> Authentication with 00:07:85:b3:f6:bd timed out.

wpa_supplicant sent a response to the PEAP start. This message includes
TLS start (client_hello, etc.). However, it looks like a reply (EAP
request) was never received for this at the client.

Unfortunately, I do not have access to Cisco ACS so I cannot test this
myself. I do have Meetinghouse AEGIS server and it is working fine with
wpa_supplicant when using PEAPv1. In addition, I believe someone
reported success with Cisco ACS and EAP-PEAP of EAP-TLS some time ago.

It would be nice to get some log entries / debug log from the RADIUS
server, but if that is not an option, getting this part of the debug log
with full details (-ddd on command line) would be useful (please include
everything from the beginning of the EAP negotiation up to and including
this timeout; just remove your password from the config parsing phase).

It would also be helpful to get a packet capture from this kind of
failed authentication. You can capture packet with, e.g., Ethereal or
tcpdump from wlan0 interface in the client.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list