WPA+EAP-PEAP+MSCHAPv2 Problem + ETHEREAL DUMPS

Jouni Malinen jkmaline
Sat Feb 12 07:45:27 PST 2005


On Fri, Feb 11, 2005 at 12:48:45PM -0330, Greg Baker wrote:

> To help diagnose my problem, I have saved two ethereal dumps.  One is a dump 
> of a successful connect, and the other unsuccessful.

Please note that the successful one used PEAPv0, not PEAPv1. It is
common to use PEAPv0 with MSCHAPv2 and PEAPv1 with GTC. In other words,
if you are using MSCHAPv2, it might be worth trying peapver=0 in phase1
configuration.

> As you can see in the dump, the spot where it dies is at the initial TLS 
> handshake.  The only difference I can see is that the successful connect 
> sends the TLS length in the packet, while the unsuccessful connect does not.

Yes, and I believe that is the most likely explanation for
the connection getting rejected here and the exact reason for adding
include_tls_length option to wpa_supplicant.

> I AM using the 0.3.7-pre version, and here is my config file...
> 
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> eapol_version=1
> ap_scan=1
> network={
>         ssid="stu"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         pairwise=TKIP
>         group=TKIP
>         identity="gbaker"
>         password="...."
>         phase1="include_tls_length=1 peapver=1 peaplabel=1"
>         phase2="auth=MSCHAPv2"
> }
> 
> It seems as though the include_tls_length=1 settings is not working...

It should work, but yes, the capture log in Fail certainly did not look
like this was enabled. I believe that is the most likely explanation for
the connection getting rejected here. Could you please verify that the
wpa_supplicant debug log shows "TLS: Include TLS Message Length in
unfragmented packets" when using this configuration? If not, please make
sure that the wpa_supplicant version is indeed correct and post the
debug log.

When I used this configuration file in a test, the debug log showed
following lines in beginning of PEAP initialization:

EAP: initialize selected EAP method (25, PEAP)
EAP-PEAP: Forced PEAP version 1
EAP-PEAP: Force new label for key derivation
EAP-PEAP: Unsupported Phase2 method 'MSCHAPv2'
EAP-PEAP: Phase2 EAP types - hexdump(len=8): 04 1a 06 05 12 11 ff 17
TLS: Include TLS Message Length in unfragmented packets
EAP: EAP entering state METHOD


In other words, include_tls_length option was noticed (and TLS Length
was indeed added to messages) and so was a typo in the EAP method name
(it should be MSCHAPV2).

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list