WPA+EAP-PEAP+MSCHAPv2 Problem

Jouni Malinen jkmaline
Wed Feb 9 19:15:34 PST 2005


On Wed, Feb 09, 2005 at 03:23:05PM -0330, Greg Baker wrote:

> I'm trying to connect to the wireless network at my school and am having 
> problems.  It connects fine in Windows, but not Linux.

Do you have any idea what authentication server is used in this network?
If it is CiscoACS, please try the 0.3.7-pre version of wpa_supplicant
from http://hostap.epitest.fi/releases/testing/ and add
include_tls_length=1 into the phase1 configuration variable in the
network block.

Based on the debug log, it looked like the access point disconnected the
station immediately after receiving the first PEAP frame (TLS client
hello). At least one version of the CiscoACS is believed to do this
unless the frames are send in non-standard way which can now be enabled
with include_tls_length=1 option.

> eapol_version=1 # <--  not sure what this does

Workaround for some access points that do not like EAPOL version 2.

> network={
>         ssid="stu"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         pairwise=TKIP
>         group=TKIP
>         identity="gbaker"
>         password="........."
>         phase1="peapver=1 peaplabel=1"
>         phase2="auth=MSCHAPV2"
> }

If this is indeed CiscoACS, it may also not like MSCHAPV2 in Phase 2 (at
least when using PEAPv1), so you may also need to change that phase2
auth option to select GTC.

> One thing I'm not sure about, do I need to have a certificate defined?  The 
> APs here provide the certificate, and they are not validated.

If you care about security, yes, you really do need to get the correct
CA certificate and validate the server certificate. Without this, the
connection is open for man-in-the-middle attack.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list