WPA+EAP-PEAP+MSCHAPv2 Problem + ETHEREAL DUMPS
Greg Baker
gbaker
Fri Feb 11 08:22:50 PST 2005
Oops.. Forgot to attach the dumps.... These can be opened in ethereal, BTW.
On February 11, 2005 12:48 pm, Greg Baker wrote:
> To help diagnose my problem, I have saved two ethereal dumps. One is a
> dump of a successful connect, and the other unsuccessful.
>
> As you can see in the dump, the spot where it dies is at the initial TLS
> handshake. The only difference I can see is that the successful connect
> sends the TLS length in the packet, while the unsuccessful connect does
> not.
>
> I AM using the 0.3.7-pre version, and here is my config file...
>
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> eapol_version=1
> ap_scan=1
> network={
> ssid="stu"
> scan_ssid=1
> key_mgmt=WPA-EAP
> eap=PEAP
> pairwise=TKIP
> group=TKIP
> identity="gbaker"
> password="...."
> phase1="include_tls_length=1 peapver=1 peaplabel=1"
> phase2="auth=MSCHAPv2"
> }
>
> It seems as though the include_tls_length=1 settings is not working...
>
> Thanks again to everyone.
> Greg
>
> On February 11, 2005 08:26 am, Greg Baker wrote:
> > Thanks for your reply, Jouni..
> >
> > On February 9, 2005 11:45 pm, Jouni Malinen wrote:
> > > On Wed, Feb 09, 2005 at 03:23:05PM -0330, Greg Baker wrote:
> > > > I'm trying to connect to the wireless network at my school and am
> > > > having problems. It connects fine in Windows, but not Linux.
> > >
> > > Do you have any idea what authentication server is used in this
> > > network? If it is CiscoACS, please try the 0.3.7-pre version of
> > > wpa_supplicant from http://hostap.epitest.fi/releases/testing/ and add
> > > include_tls_length=1 into the phase1 configuration variable in the
> > > network block.
> >
> > I don't, but can call the network admin and find out. I will ask him
> > today and get back to you.
> >
> > > [snip]
> > >
> > > > network={
> > > > ssid="stu"
> > > > scan_ssid=1
> > > > key_mgmt=WPA-EAP
> > > > eap=PEAP
> > > > pairwise=TKIP
> > > > group=TKIP
> > > > identity="gbaker"
> > > > password="........."
> > > > phase1="peapver=1 peaplabel=1"
> > > > phase2="auth=MSCHAPV2"
> > > > }
> > >
> > > If this is indeed CiscoACS, it may also not like MSCHAPV2 in Phase 2
> > > (at least when using PEAPv1), so you may also need to change that
> > > phase2 auth option to select GTC.
> >
> > Hmm.. I can only go by what the windows setup looks like, and that uses
> > MSCHAPv2. If I do select GTC, will that work with an AP that does
> > MSCHAP?
> >
> > > > One thing I'm not sure about, do I need to have a certificate
> > > > defined? The APs here provide the certificate, and they are not
> > > > validated.
> > >
> > > If you care about security, yes, you really do need to get the correct
> > > CA certificate and validate the server certificate. Without this, the
> > > connection is open for man-in-the-middle attack.
> >
> > I understand the security part.. Unfortunately, our network at school is
> > configured with an unofficial certificate. So, I simply cannot verify
> > it. What I meant was, will wpa_supplicant actually work without verifying
> > the certificate.
> >
> > Thanks for all your help, Jouni.
> > _______________________________________________
> > HostAP mailing list
> > HostAP at shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
>
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Fail
Type: application/octet-stream
Size: 605 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20050211/7d14b206/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Success
Type: application/octet-stream
Size: 2552 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20050211/7d14b206/attachment-0001.obj
More information about the Hostap
mailing list