problems with WPA2 (wpa_supplicant) and EAP-TTLS
William Bulley
web
Tue Feb 5 11:51:01 PST 2008
This setup has worked for me in the past! Scenario:
+-----------------------------------+
| ThinkPad T42 with D-Link DWL-G660 |
| (ath0) on FreeBSD 6.2-STABLE | xxx.yyy.zzz.74
| running wpa_supplicant 0.4.8 |
+-----------------------------------+
^
802.1X | EAP-TTLS
v
+---------------------------------------+
| Cisco 1131AG 802.11a/b/g AP IOS 12.4 | xxx.yyy.zzz.75
+---------------------------------------+
^
EAP-TTLS | RADIUS
v
+-----------------------------------+
| FreeRADIUS 1.1.7_2 on FreeBSD 7.0 | xxx.yyy.zzz.76
+-----------------------------------+
Some configs are at the end of this message. It almost
works, but wpa_supplicant exhibits a looping behaviour
when run from the command line:
# wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf
Without "-dd" debugging, I see a repeating pattern:
Trying to associate with 00:xx:xx:xx:xx:xx (SSID='testing' freq 2442 MHz)
Associated with 00:xx:xx:xx:xx:xx
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
ioctl[SIOCS80211, op 20, len 7]: Can't assign requested address
even though FreeRADIUS successfully authenticates my session AND
hands out an IP address (not DHCP, but I think it should work).
If not an IP address that is being requested, what could it be?
When the ath0 interface is assigned an IP address before manually
running wpa_supplicant, I see the same repeating behaviour as above.
When I add the "-dd" option to the above wpa_supplicant command, I
do get more output, but it doesn't help me to understand the problem.
Here is some proof FreeRADIUS is properly authenticating the inner
user ("foo"):
Sending Access-Accept of id 179 to xxx.yyy.zzz.75 port 1645
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "foo\000"
Framed-IP-Address = xxx.yyy.zzz.74
Framed-IP-Netmask = 255.255.255.128
EAP-Message = 0x03070004
If having FreeRADIUS hand out an IP address is not optimum, I plan
to have the access point give out IP addresses by running a DHCP
server. While the access point has been configured (properly?) for
a DHCP server, this hasn't yet been shown to correctly do the job.
=*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="testing"
bssid=00:xx:xx:xx:xx:xx
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="anonymous"
identity="foo"
password="password"
phase2="auth=MD5"
}
=*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
}
md5 {
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
Can anyone suggest what is going wrong here or offer a suggestion as
to what I should try next with wpa_supplicant? I believe FreeRADIUS
is working properly. Since EAP packets are flowing and since EAP is
successful (according to wpa_supplicant - see above), I also believe
that the access point is configured properly and behaving properly.
Regards,
web...
--
William Bulley Email: web at umich.edu
More information about the Hostap
mailing list