Trying again.Please help ! wpa_supplicant problem with eap-ttls

Jouni Malinen jkmaline
Fri Jun 3 18:41:15 PDT 2005


On Thu, Jun 02, 2005 at 05:36:46PM +0200, helas Akropolis wrote:

> wpa-psk work fine, but when i try to use eap-ttls there ist no connection between the wpa_supplicant(wxp sp2) and the
> hostap. can anyone please tell me what i am doing wrong?

Unfortunately, you did not include enough debug output from the RADIUS
server to find out what was happening. wpa_supplicant debug log seems to
indicate that the RADIUS server is doing something odd, i.e., it is
trying to change from EAP-TTLS to EAP-TLS within the same authentication
session.

> The wpa_supplicant say everytime i get connected: SSL: SSL_connect:error in SSLv3 read server hello A

That is expected in the beginning of the TLS handshake when server hello
has not yet been received.

> EAP: Received EAP-Request method=1 id=0
> EAP: Received EAP-Request method=1 id=1

First, RADIUS server is sending EAP-Request/Identity. This is correct.

> EAP: Received EAP-Request method=21 id=2

And the server starts EAP-TTLS.

> TX EAPOL - hexdump(len=124): 00 09 5b 12 0f a5 00 09 5b 98 e2 7e 88 8e 01 00 00
> 6a 02 02 00 6a 15 00 16 03 01 00 5f 01 00 00 5b 03 01 42 9d b7 1a 5b 92 ad 3b 7b
> 6c 93 95 b9 65 c5 e4 06 af 62 c8 c2 7f 32 6d 24 8f 99 2d 1a 00 59 bf 00 00 34 0
> 0 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00
> 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03 01 00

wpa_supplicant replies with EAP-TTLS..

> WPA: EAPOL frame too short, len 10, expecting at least 99
> RX EAPOL from 00:09:5b:12:0f:a5
> RX EAPOL - hexdump(len=10): 02 00 00 06 01 03 00 06 0d 20
> EAP: Received EAP-Request method=13 id=3
> EAP: EAP entering state DISCARD

But the authentication server is sending EAP-TLS/Start?! This is
incorrect behavior.

Please send a more complete debug log from the RADIUS server. In
addition, getting a packet capture from the RADIUS server (i.e.,
something showing the RADIUS packets between the server and AP) could be
helpful.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list