Is there any inter-operating tests experience with "BridgeWater Systems's AAA Server"?

Jouni Malinen j
Mon Feb 4 18:52:12 PST 2008

On Mon, Feb 04, 2008 at 05:28:50PM +0800, Macpaul Lin wrote:

> I've used wpa-supplicant-0.5.7 to test EAP-TTLS/TLS with AAA Server
> which developed by "BridgeWater Systems".

> However, EAP-TLS always failed right away when "Client CA" and "Change
> cipher spec option" were sent by Auth client .

Could you please send me debug log from wpa_supplicant showing this

> AAA server (Bridgewater Systems's solution) will show log on its own
> terminal "decrypt error". Then AAA server will response Auth Complete
> EAP packet with "Error code" then close the EAP connections.

Unfortunately, that does not sound like a very helpful error code..

> I've logged EAP-TLS handshaking messages.

Would it be possible for you to send me packet capture logs (e.g., with
Wireshark or tcpdump) that show both a successful EAP-TLS handshake with
another supplicant and the failed one from wpa_supplicant test?

I'm not familiar with this AAA server, but in general, EAP-TLS is one of
the most interoperable EAP methods available.. It has worked with every
server I've tested with so far. As such, I would suspect that there
could be something wrong in the client configuration as far as the
certificate setup is concerned, but the "decrypt error" would not sound
like something that a server would likely show in such a case..

Do you use any complex certificate configurations (i.e., multiple CAs
and different intermediate CAs for the server and client, etc.)?

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list