problems with WPA2 (wpa_supplicant) and EAP-TTLS

Jouni Malinen j
Tue Feb 5 18:34:41 PST 2008

On Tue, Feb 05, 2008 at 02:51:01PM -0500, William Bulley wrote:

> Some configs are at the end of this message.  It almost
> works, but wpa_supplicant exhibits a looping behaviour
> when run from the command line:

> Without "-dd" debugging, I see a repeating pattern:

Could you please send me a debug log with -dd on the command line to
show what happens after EAP authentication?

> even though FreeRADIUS successfully authenticates my session AND
> hands out an IP address (not DHCP, but I think it should work).

EAP authentication or WPA does not have anything to do with IP address.
This is a separate step that can happen only after successfully
completed WPA key handshake. The non-debug output from wpa_supplicant
was not detailed enough to indicate what exactly is happening here, but
it looks like the WPA key handshake was not completed successfully and
as such, no DHCP packets, or any other IP traffic for that matter, could
flow between the AP and the client.

> If having FreeRADIUS hand out an IP address is not optimum, I plan
> to have the access point give out IP addresses by running a DHCP
> server.  While the access point has been configured (properly?) for
> a DHCP server, this hasn't yet been shown to correctly do the job.

The IP address from RADIUS server does not reach the client anyway, so
yes, you will need to have something like DHCP to take care of this. The
RADIUS attribute could just be used to notify NAS (the AP/Authenticator
in this case) of the IP address that could be assigned with DHCP.

> network={
>     eap=TTLS
>     phase2="auth=MD5"

That auth=MD5 is not a valid parameter for EAP-TTLS. If you want to use
EAP-MD5 as the inner authentication method with EAP-TTLS, phase2 should
be set to "autheap=MD5".

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list