EAP-FAST doesn't work with Cisco AP

[Michael Reilly]

Jouni Malinen wrote:
> On Sun, Jun 11, 2006 at 10:04:12PM -0700, Michael Reilly wrote:
> 
>> I have been trying to get EAP-FAST to work with my Cisco AP-1100 (12.3(7)JA2 and
>> 12.3(8)JA2 IOS versions on the AP).  Windows clients work fine with the AP.
> 
> Was this authentication using the local authentication server in the AP
> or an external RADIUS server?
Local server.
> 
>> wpa_supplicant 0.4.9 and openssl 0.9.8b patched with
>> openssl-tls-extensions.patch.  SSL fails and sends the AP an Alert code 47.  The
>> wpa_supplicant SSL part of the log is shown below.  I can provide additional
>> information as required.
> 
> I haven't tested with OpenSSL 0.9.8b, but I would not expected that to
> have changed in an area that would cause such a problem. OpenSSL 0.9.8a
> is working fine in my tests with the local authentication server in a
> Cisco AP and also against CiscoACS. The AP I'm using is likely an older
> test version of 12.3 than 12.3.(7), so something may have been changed
> since then.
I am thinking of trying 12.3(4)JA2 just to see if there has been a change in the
newer code.
> 
>> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:illegal parameter
>> SSL: (where=0x1002 ret=0xffffffff)
>> SSL: SSL_connect:error in SSLv3 read server hello B
>> OpenSSL: tls_connection_handshake - SSL_connect error:14092105:SSL
>> routines:SSL3_GET_SERVER_HELLO:wrong cipher returned
> 
> Hmm.. It looks like the server did not advertise an acceptable cipher.
> Did you manage to run in-band PAC provisioning without any issues? Could
> you please capture the EAP packets (e.g., with ethereal on the client)
> and send me a capture log showing ClientHello and this ServerHello
> message that gets rejected?
In band PAC provisioning works fine.  Phase 1 completes and the pac file is
written.  I'll capture the ethereal logs and send them shortly.

Thank you,

michael

>  

-- 
---- ---- ----
Michael Reilly    michaelr at cisco.com
    Cisco Systems,  California