EAP-FAST inner Auth Fails

Jouni Malinen jkmaline
Fri Dec 8 07:06:43 PST 2006

On Fri, Dec 08, 2006 at 11:36:03AM +0530, ramprasad.rajendran at wipro.com wrote:

> >And the server is sending out EAP-Request/Identity frame in 
> >the tunnel and that is received successfully.
> Is this fine. Can the server just ask for a request identity inside the
> tunnel instead of using any authentication method like GTC or MSCHAPV2.

It is normal to first ask for the real identity inside the encrypted
tunnel to protect the privacy of the user identity. This means that the
anonymous_identity in wpa_supplicant configuration is sent in plain, but
the identity value is only send in the encrypted tunnel.

EAP-GTC or EAP-MSCHAPv2 is supposed to follow this identity query in the

> The server's log says the following
> ==> authReports/rejects_20061208.csv <==
> "2006-12-08","11:29:51","<ANY>","test","EAP-FAST","User name or
> credential incorrect","Inner EAP-FAST authentication
> failed",""

This sounds like the "test" user would not be properly configured in the
server. This identity was rejected even before starting EAP-MSCHAPv2.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list