Wired network and CISCO ACS
Jouni Malinen
jkmaline
Wed Mar 29 06:34:12 PST 2006
On Wed, Mar 29, 2006 at 08:42:25AM +0200, Dario Meloni wrote:
> == Configuration
...
> eapol_flags=1
Wired connection is unlikely to distribute encryption keys so
eapol_flags should be set to 0 or removed complete.
> EAP-PEAP: Start (server ver=1, own ver=1)
> EAP-PEAP: Using PEAP version 1
The first PEAP message from the authentication server is received
successfully..
> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A
> SSL: SSL_connect - want more data
> SSL: 101 bytes pending from ssl_out
> SSL: 101 bytes left to be sent out (of total 101 bytes)
And this is the ClientHello messsage from the supplicant..
> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> EAPOL: SUPP_BE entering state RECEIVE
However, the server does not seem to answer to it. Since you are using
Cisco ACS, I would recommend testing with include_tls_length=1 added to
the phase1 parameter. Some versions of ACS seem to require that TLS
Message Length is in the messages even if they are not fragmented.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list