problems with WPA2 (wpa_supplicant) and EAP-TTLS

William Bulley web
Tue Feb 5 11:51:01 PST 2008

This setup has worked for me in the past!  Scenario:

     | ThinkPad T42 with D-Link DWL-G660 |
     |   (ath0) on FreeBSD 6.2-STABLE    |     xxx.yyy.zzz.74
     |   running wpa_supplicant 0.4.8    |
           802.1X     |    EAP-TTLS
   | Cisco 1131AG 802.11a/b/g AP  IOS 12.4 |   xxx.yyy.zzz.75
          EAP-TTLS    |    RADIUS
     | FreeRADIUS 1.1.7_2 on FreeBSD 7.0 |     xxx.yyy.zzz.76

Some configs are at the end of this message.  It almost
works, but wpa_supplicant exhibits a looping behaviour
when run from the command line:

 # wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf

Without "-dd" debugging, I see a repeating pattern:

   Trying to associate with 00:xx:xx:xx:xx:xx (SSID='testing' freq 2442 MHz)
   Associated with 00:xx:xx:xx:xx:xx
   CTRL-EVENT-EAP-STARTED EAP authentication started
   CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
   CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
   CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
   ioctl[SIOCS80211, op 20, len 7]: Can't assign requested address

even though FreeRADIUS successfully authenticates my session AND
hands out an IP address (not DHCP, but I think it should work).

If not an IP address that is being requested, what could it be?
When the ath0 interface is assigned an IP address before manually
running wpa_supplicant, I see the same repeating behaviour as above.

When I add the "-dd" option to the above wpa_supplicant command, I
do get more output, but it doesn't help me to understand the problem.

Here is some proof FreeRADIUS is properly authenticating the inner
user ("foo"):

   Sending Access-Accept of id 179 to xxx.yyy.zzz.75 port 1645
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "foo\000"
        Framed-IP-Address = xxx.yyy.zzz.74
        Framed-IP-Netmask =
        EAP-Message = 0x03070004

If having FreeRADIUS hand out an IP address is not optimum, I plan
to have the access point give out IP addresses by running a DHCP
server.  While the access point has been configured (properly?) for
a DHCP server, this hasn't yet been shown to correctly do the job.

 =*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=



 =*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=

eap {
    default_eap_type = ttls
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = yes
    tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/cert-srv.pem
        certificate_file = ${raddbdir}/certs/cert-srv.pem
        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        fragment_size = 1024
        include_length = yes
        cipher_list = "DEFAULT"

    md5 {

    ttls {
        default_eap_type = md5
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes

Can anyone suggest what is going wrong here or offer a suggestion as
to what I should try next with wpa_supplicant?  I believe FreeRADIUS
is working properly.  Since EAP packets are flowing and since EAP is
successful (according to wpa_supplicant - see above), I also believe
that the access point is configured properly and behaving properly.



William Bulley                     Email: web at

More information about the Hostap mailing list