eap-fast in hostapd-0.3.7
Hangjun He
elmerhe
Wed Nov 28 02:24:51 PST 2007
Yes. I am using juniper SBR(version 5.4) as our external aaa radius server.
But It failed when I use eap-fast type. It can work well when I use eap-peap/eap-tls/eap-ttls. All use same username/password and same certificates.
error information in authreports/rejects_20071128.csv
"Date","Time","RADIUS-Client","User-Name","Reject-Method","Reject-Reason","Reject-Log","NAS-IP-Address"
"2007-11-28","17:55:55","10.155.20.84","twang","EAP-FAST","User name or credential incorrect","Inner EAP-FAST authentication failed","10.155.20.84"
"2007-11-28","18:06:43","10.155.20.84","twang","EAP-FAST","User name or credential incorrect","Inner EAP-FAST authentication failed","10.155.20.84"
"2007-11-28","18:09:39","10.155.20.84","twang","EAP-FAST","User name or credential incorrect","Inner EAP-FAST authentication failed","10.155.20.84"
It seems username or password incorrect, but same user can authenticate success when I use other eap types.
log in 20071128.log.
11/28/2007 17:25:34 Session-Timeout : Integer Value = 120
11/28/2007 17:25:34 -----------------------------------------------------------
11/28/2007 17:25:46 Looking up shared secret
11/28/2007 17:25:46 Parsing request
11/28/2007 17:25:46 NAS-IP-Address in request: 10.155.20.84
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Authentication Request
11/28/2007 17:25:46 Received From: ip=10.155.20.84 port=1032
11/28/2007 17:25:46 Packet : Code = 0x1 ID = 0x0
11/28/2007 17:25:46 Client Name = 10.155.20.84 Dictionary Name = Radius.dct
11/28/2007 17:25:46 Vector =
11/28/2007 17:25:46 000: 41dd8053 f456d0d9 9a7c112b 95fadf79 |A..S.V...|.+...y|
11/28/2007 17:25:46 Parsed Packet =
11/28/2007 17:25:46 User-Name : String Value = twang
11/28/2007 17:25:46 NAS-IP-Address : IPAddress = 10.155.20.84
11/28/2007 17:25:46 NAS-Identifier : String Value = hhe.aerohive.com
11/28/2007 17:25:46 NAS-Port : Integer Value = 0
11/28/2007 17:25:46 Called-Station-Id : String Value = 00-19-77-00-00-34:hhe
11/28/2007 17:25:46 Calling-Station-Id : String Value = 00-19-E0-80-A5-5A
11/28/2007 17:25:46 Framed-MTU : Integer Value = 1500
11/28/2007 17:25:46 NAS-Port-Type : Integer Value = 19
11/28/2007 17:25:46 Connect-Info : String Value = CONNECT 11Mbps 802.11b
11/28/2007 17:25:46 EAP-Message : Value =
11/28/2007 17:25:46 000: 02030041 2b011703 01003626 968ee844 |...A+.....6&...D|
11/28/2007 17:25:46 010: 439e8114 de37e588 006d559d b813ab5c |C....7...mU....\|
11/28/2007 17:25:46 020: 12581e66 46697350 3263a88e b5abc694 |.X.fFisP2c......|
11/28/2007 17:25:46 030: 54f84858 ddaf40b3 3b2b22bc fb6bd8ab |T.HX.. at .;+"..k..|
11/28/2007 17:25:46 040: 69 |i |
11/28/2007 17:25:46 State : String Value = SBR-CH 5|4
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Tunneled Authentication Request
11/28/2007 17:25:46 Packet : Code = 0x1 ID = 0x0
11/28/2007 17:25:46 Client Name = LocalServer Dictionary Name = Radius.dct
11/28/2007 17:25:46 Vector =
11/28/2007 17:25:46 000: e2c1065a e9d0ebc0 8fcdfbd2 cf24d4a9 |...Z.........$..|
11/28/2007 17:25:46 Parsed Packet =
11/28/2007 17:25:46 User-Password : String Value = <suppressed>
11/28/2007 17:25:46 User-Name : String Value = twang
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Determining if this radius should act as a proxy
11/28/2007 17:25:46 WINAUTH: NTSTATUS = C000006D / Win Error = 1326.
11/28/2007 17:25:46 WINAUTH: -> Logon failure: unknown user name or bad password.
11/28/2007 17:25:46 WINAUTH: LsaLogon returned 52e.
11/28/2007 17:25:46 Unable to find user twang with matching password
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Tunneled Authentication Response (reject)
11/28/2007 17:25:46 Packet : Code = 0x3 ID = 0x0
11/28/2007 17:25:46 Vector =
11/28/2007 17:25:46 000: 8872c971 f70e4554 6c467fb9 df077b85 |.r.q..ETlF....{.|
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Sent challenge response for user twang to client 10.155.20.84
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:46 Authentication Response
11/28/2007 17:25:46 Packet : Code = 0xb ID = 0x0
11/28/2007 17:25:46 Vector =
11/28/2007 17:25:46 000: d2d9af0c d496da3e a168fa05 9df82db6 |.......>.h....-.|
11/28/2007 17:25:46 State : String Value = SBR-CH 5|5
11/28/2007 17:25:46 EAP-Message : Value =
11/28/2007 17:25:46 000: 01040025 2b011703 01001ab7 ef9e2796 |...%+.........'.|
11/28/2007 17:25:46 010: b77eb771 1dbc648d 2c55342c 585183a6 |.~.q..d.,U4,XQ..|
11/28/2007 17:25:46 020: 4868023e 1a |Hh.>. |
11/28/2007 17:25:46 Session-Timeout : Integer Value = 108
11/28/2007 17:25:46 -----------------------------------------------------------
11/28/2007 17:25:47 Looking up shared secret
11/28/2007 17:25:47 Parsing request
11/28/2007 17:25:47 NAS-IP-Address in request: 10.155.20.84
11/28/2007 17:25:47 -----------------------------------------------------------
11/28/2007 17:25:47 Authentication Request
11/28/2007 17:25:47 Received From: ip=10.155.20.84 port=1032
11/28/2007 17:25:47 Packet : Code = 0x1 ID = 0x1
11/28/2007 17:25:47 Client Name = 10.155.20.84 Dictionary Name = Radius.dct
11/28/2007 17:25:47 Vector =
11/28/2007 17:25:47 000: a6419d6f 5cd4e3ec f8bae3d9 bf0aa611 |.A.o\...........|
11/28/2007 17:25:47 Parsed Packet =
11/28/2007 17:25:47 User-Name : String Value = twang
11/28/2007 17:25:47 NAS-IP-Address : IPAddress = 10.155.20.84
11/28/2007 17:25:47 NAS-Identifier : String Value = hhe.aerohive.com
11/28/2007 17:25:47 NAS-Port : Integer Value = 0
11/28/2007 17:25:47 Called-Station-Id : String Value = 00-19-77-00-00-34:hhe
11/28/2007 17:25:47 Calling-Station-Id : String Value = 00-19-E0-80-A5-5A
11/28/2007 17:25:47 Framed-MTU : Integer Value = 1500
11/28/2007 17:25:47 NAS-Port-Type : Integer Value = 19
11/28/2007 17:25:47 Connect-Info : String Value = CONNECT 11Mbps 802.11b
11/28/2007 17:25:47 EAP-Message : Value =
11/28/2007 17:25:47 000: 02040025 2b011703 01001a04 77422c23 |...%+.......wB,#|
11/28/2007 17:25:47 010: 276b1bff 746a0866 d727be13 93dc8599 |'k..tj.f.'......|
11/28/2007 17:25:47 020: 7a5a79b7 e5 |zZy.. |
11/28/2007 17:25:47 State : String Value = SBR-CH 5|5
11/28/2007 17:25:47 -----------------------------------------------------------
11/28/2007 17:25:47 EAP-FAST: Inner authentication failed
11/28/2007 17:25:47 User twang ultimately failed challenge sequence
11/28/2007 17:25:47 -----------------------------------------------------------
11/28/2007 17:25:47 Authentication Response (reject)
11/28/2007 17:25:47 Packet : Code = 0x3 ID = 0x1
11/28/2007 17:25:47 Vector =
11/28/2007 17:25:47 000: 7713879e 10b9af77 c55dcaed 901b3b98 |w......w.]....;.|
11/28/2007 17:25:47 EAP-Message : Value =
11/28/2007 17:25:47 000: 04040004 |.... |
11/28/2007 17:25:47 -----------------------------------------------------------
11/28/2007 17:25:47 Sent reject response
Jouni Malinen <j at w1.fi> ???
On Wed, Nov 28, 2007 at 09:52:40AM +0800, Hangjun He wrote:
> By the way, we are using external aaa radius server which can support eap-fast.
In that case, yes, you should be able to use this with hostapd 0.3.7.
The used EAP type is transparent to the authenticator.
EAP-FAST server support was added in 0.6.1, but that is only needed if
one were to use hostapd as the authentication server.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
---------------------------------
??????????
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20071128/5537c009/attachment.htm
More information about the Hostap
mailing list