WPA - AP Association Issue

[Jouni Malinen]

On Wed, Nov 21, 2007 at 09:11:38AM +0530, Mr. Maloomnahi wrote:

> There is no specific reason why I have selected SAKE, AKA, SIM, PAX as phase 2 stuff behind TTLS / PEAP. 
> 
> I wanted to test all possible combinations especially with respect to EAP methods with TKIP or CCMP.

Taken into account that I've never tested SAKE/AKA/SIM/PAX as phase 2
methods, I would not claim any support for them in the current
implementation.

> The issue is that these do not work as phase 1 either. SIM and AKA is but obvious because of the absence of smartcard. But atleast SAKE / PAX should have worked.

Yes, it sounds like the configuration for SAKE and PAX may be incorrect.
They have worked fine in my tests when used as the main EAP method.

> 1] Why does the hostapd keeps asking for the vendor method 13 [TLS]?

I would assume you are using hostapd as a RADIUS server. It will first
try to start the EAP method you have configured as the first entry for
the provided user identity. If the supplicant refuses (EAP-Nak) that
method, it will ask for another one and hostapd will accept the other
method if it was enabled in the eap_user configuration file.

> 2] Since TTLS, PEAP all have been selected during the build, why is it not asking for other methods?

It will accept them if the client asks for them and they are enabled in
user configuration.

> 3] How do we change the setting from TLS to TTLS or PEAP or others at hostapd?

Which settings? Identities and passwords are set in the hostapd.eap_user
file.

> 4] Does hostapd automatically consider all EAP methods for association?

hostapd will use methods that are enabled for the user (based on the
identity) in hostapd.eap_user.

-- 
Jouni Malinen                                            PGP id EFC895FA