Problem in porting to PALM

Jack Yip Jack
Mon Mar 24 13:15:45 PDT 2008 

Hi
 
 
This is the information of the AP:
System Software Version:  Cisco IOS Software 
 Product/Model Number: AIR-AP1242AG-A-K9  
 Top Assembly Serial Number: FTX1136B1XA  
 System Software Filename: c1240-k9w7-tar.124-3g.JA1  
 System Software Version: 12.4(3g)JA1  
 Bootloader Version: 12.3(7)JA1  
 
 
I have changed the code in the function  "tlsv1_client_set_cipher_list"
**********************************************************************************
int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers)
{
#ifdef EAP_FAST
 size_t count;
 u16 *suites;
 /* TODO: implement proper configuration of cipher suites */
 if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {
  count = 0;
  suites = conn->cipher_suites;
/*  suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
  suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;
  */
  //JACK
  suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
  suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
  suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
  
  
  
  conn->num_cipher_suites = count;
 }
 return 0;
#else /* EAP_FAST */
 return -1;
#endif /* EAP_FAST */
}
**********************************************************************************
 
 
 
 
 
 
And then the debug msg no longer have the line "Cipher RC4_128_SHA / TLS_DH_anon_WITH_AES_128_CBC_SHA1 not found, client may be open source".But Still I have the following msg which makes me have failed authentication.
 
 
 
*Mar  8 04:47:12.990: RADSRV EAP-FAST: Add teap client 0011.d605.2cdc
*Mar  8 04:47:12.990: RADSRV EAP-FAST:  Sending TEAP start
*Mar  8 04:47:13.134: RADSRV EAP-FAST: verify client_hello
*Mar  8 04:47:13.134: RADSRV EAP-FAST: PAC to be provisioned, parsed 49, length
49
*Mar  8 04:47:13.134: RADSRV EAP-FAST: Build (provision) Server Hello, 0011.d605
.2cdc
*Mar  8 04:47:13.135: RADSRV EAP-FAST: Calculting DH Server public.. 0011.d605.2
cdc
*Mar  8 04:47:13.347: RADSRV EAP-FAST: DH public number generation failed
*Mar  8 04:47:13.347: RADSRV EAP-FAST:  Sending Server Hello, 0011.d605.2cdc
*Mar  8 04:47:24.017: RADSRV EAP-FAST: verify client_finished, 0011.d605.2cdc
*Mar  8 04:47:24.017: RADSRV EAP-FAST: Calculting premaster secret..
*Mar  8 04:47:24.282: RADSRV EAP-FAST: Calculating Master secret...
*Mar  8 04:47:24.285: RADSRV EAP-FAST: sending alert level 2, desc 0
*Mar  8 04:47:24.395: RADSRV EAP-FAST:
 Alert from 0011.d605.2cdc: Fatal : code 10
*Mar  8 04:47:24.395: RADSRV EAP-FAST: Delete teap client 0011.d605.2cdc
*Mar  8 04:47:24.396: %DOT11-7-AUTH_FAILED: Station 0011.d605.2cdc Authenticatio
n failed

 
Do you have any idea of this?
Why after calculating master secert, the server will send back alert level?
 
Please advise!!!
 
By the way,I am trying to see the difference of wpa_supplicant-0.5.9.tar.gz  and wpa_supplicant-0.5.10.tar.gz 
 
JACK
 
 

________________________________

From: hostap-bounces at lists.shmoo.com on behalf of Jouni Malinen
Sent: Tue 3/25/2008 1:32 AM
To: hostap at shmoo.com
Subject: Re: Problem in porting to PALM



On Tue, Mar 25, 2008 at 12:13:21AM +0800, Jack Yip wrote:

> I have captured the debug msg with binary packet printed out from the CISCO server.

> *Mar  8 00:24:06.587: RADSRV EAP-FAST: Add teap client 0011.d605.2cdc
> *Mar  8 00:24:06.587: RADSRV EAP-FAST: EAP-FAST pak rx:
> 01814770:       02 02000E01 616E6F6E 796D6F75     .....anonymou
> 01814780: 73                                   s              
> *Mar  8 00:24:06.587: RADSRV EAP-FAST: EAP-FAST pak tx:
> 01851070:                       0103 001A2B21            ....+!
> 01851080: 00040010 4C4F4341 4C205241 44495553  ....LOCAL RADIUS
> 01851090: 20534552                              SER           

Oh.. This is not ACS, but an internal EAP-FAST server in a Cisco AP..
Which version of the AP software (IOS) are you using?

> *Mar  8 00:24:06.588: RADSRV EAP-FAST:  Sending TEAP start
> *Mar  8 00:24:06.731: RADSRV EAP-FAST: EAP-FAST pak rx:
> 01819650:                         02 0300402B             ... at +
> 01819660: 01160301 00350100 00310301 45986005  .....5...1..E.`.
> 01819670: BDA2B8BA 4D2702EA 306B7F69 80119AE7  ="8:M'.j0k.i...g
> 01819680: BD3B975E 41E59F87 E7830B97 00000A00  =;.^Ae..g.......
> 01819690: 3A003400 1B001800 1A0100             :.4........    

Which TLS library (and which version of it) are you using in the client?

The ClientHello seems to advertise support for following ciphers:
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_DES_CBC_SHA


> *Mar  8 00:24:06.732: RADSRV EAP-FAST: verify client_hello
> *Mar  8 00:24:06.732: RADSRV EAP-FAST: Cipher RC4_128_SHA / TLS_DH_anon_WITH_AES
> _128_CBC_SHA1 not found, client may be open source

This looks bit odd.. RC4_128_SHA is not there (which is as expected,
since this is likely for anonymous provisioning), but
TLS_DH_anon_WITH_AES_128_CBC_SHA1 is in the list.. This looks like a bug
in the authentication server. I've seen the issue before, but I've never
seen this level of debug output from the server.. Which debug options
did not enable to get this?

If I remember correctly, the server gets confused because of one of the
ciphers and refuses to do provisioning because of this. Workaround would
be to remove most of those ciphers from ClientHello and just try to use
TLS_DH_anon_WITH_AES_128_CBC_SHA which is known to not confuse the local
authentication server..

I don't know whether this has been fixed in a newer IOS version, but it
might be worthwhile to test upgrading if a newer firmware version is
available.

> By the way, I should be  using the wpa_supplicant-0.5.9.tar.gz  for porting(not wpa_supplicant-0.5.10.tar.gz ), does it work with EAP-FAST?

Why should you use 0.5.9 instead of 0.5.10? I do not remember whether
there were any changes that could affect EAP-FAST behavior between those
versions, but in general, I would recommend using the latest available
stable version due to bug fixes included in it.

--
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080325/2f9b4fdd/attachment.htm

More information about the Hostap mailing list