integrated eap server

Phani Kumar Kancharala kancharlaphanikumar
Tue May 13 06:05:00 PDT 2008


What I got from your dump is there is a miss match in EAP-methods.
I think you have enable the TLS in the .config of hostapd and recompile,
then only hostap supports TLS.
You may need to add the authentication method in hostapd.conf, ex:
wpa_pairwise = TKIP.

On Sun, May 11, 2008 at 5:27 PM, ali asin <ali.asin at gmail.com> wrote:

>  Hi all!
> I'm trying to set a hostap (version updated today) with wpa-eap with with
> TLS with integrated EAP instead of Radius (a very simple configuration).
> However, I've been trying without success, I don't know what else can I do.
>
> My hostapd.conf looks like (I only quote the lines related to wpa):
> ieee8021x=1
> wpa=3
> eap_server=1
> eap_user_file=user_file
> ca_cert=/etc/cert/cacert.pem
> server_cert=/etc/cert/newcert.pem (includes private key in cert).
> private_key_passwd="password"
> wpa_key_mgmt=EAP
> auth_algs=3
>
> And the wpa_supplicant.conf:
> ctrl_interface=/var/run/wpa_supplicant
> eapol_version=2
> ap_scan=1
> network={
>         ssid="prueba"
>        proto=WPA
>         key_mgmt=WPA-EAP
>        pairwise=TKIP
>       group=TKIP
>         eap=TLS
>         identity="cucu at test.com"
>         ca_cert="cacert.pem"
>         client_cert="newcert.pem"
>         private_key="newkey.pem"
>         private_key_passwd="password"
> }
>
> The output from hostapd is:
> eapol_version=2
> TLS: Trusted root certificate(s) loaded
> madwifi_set_privacy: enabled=0
> madwifi_sta_deauth: Failed to deauth STA (addr ff:ff:ff:ff:ff:ff reason 3)
> Could not connect to kernel driver.
> Using interface ath0 with hwaddr 00:15:6d:63:a6:45 and ssid 'prueba'
> madwifi_set_ieee8021x: enabled=1
> madwifi_configure_wpa: group key cipher=1
> madwifi_configure_wpa: pairwise key ciphers=0xa
> madwifi_configure_wpa: key management algorithms=0x1
> madwifi_configure_wpa: rsn capabilities=0x0
> madwifi_configure_wpa: enable WPA=0x3
> WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
> GMK - hexdump(len=32): [REMOVED]
> GTK - hexdump(len=32): [REMOVED]
> WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
> madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00 key_idx=1
> madwifi_set_privacy: enabled=1
> madwifi_set_iface_flags: dev_up=1
> ath0: Setup of interface done.
> l2_packet_receive - recvfrom: Network is down
> Wireless event: cmd=0x8b1a len=15
> Wireless event: cmd=0x8c03 len=20
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.11: associated
>   New STA
> ath0: STA 00:0b:6b:80:c8:8e WPA: event 1 notification
> madwifi_del_key: addr=00:0b:6b:80:c8:8e key_idx=0
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: start authentication
> EAP: State machine created
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_KEY_TX entering state NO_KEY_TRANSMIT
> IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
> IEEE 802.1X: 00:0b:6b:80:c8:8e CTRL_DIR entering state IN_OR_BOTH
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state IDLE
> IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
> IEEE 802.1X: 00:0b:6b:80:c8:8e CTRL_DIR entering state FORCE_BOTH
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
> ath0: STA 00:0b:6b:80:c8:8e WPA: start authentication
> WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state INITIALIZE
> madwifi_del_key: addr=00:0b:6b:80:c8:8e key_idx=0
> WPA: 00:0b:6b:80:c8:8e WPA_PTK_GROUP entering state IDLE
> WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state AUTHENTICATION
> WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state AUTHENTICATION2
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state DISCONNECTED
> madwifi_set_sta_authorized: addr=00:0b:6b:80:c8:8e authorized=0
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: unauthorizing port
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 28 bytes from 00:0b:6b:80:c8:8e
>    IEEE 802.1X: version=2 type=0 length=24
>    EAP: code=2 identifier=103 length=24 (response)
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: received EAP packet (code=2
> id=103 len=24) from STA: EAP Response-Identity (1)
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: STA identity 'cucu at test
> .com'
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state RESPONSE
> EAP: EAP-Response received - hexdump(len=24): 02 67 00 18 01 61 6c 69 63
> 69 61 40 6c 69 62 65 6c 69 75 6d 2e 63 6f 6d
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> EAP: EAP entering state RECEIVED
> EAP: parseEapResp: rxResp=1 respId=103 respMethod=1 respVendor=0
> respVendorMethod=0
> EAP: EAP entering state INTEGRITY_CHECK
> EAP: EAP entering state METHOD_RESPONSE
> EAP-Identity: Peer identity - hexdump_ascii(len=19):
>      61 6c 69 63 69 61 40 6c 69 62 65 6c 69 75 6d 2e   cucu at test.
>      63 6f 6d                                          com
> EAP: EAP entering state SELECT_ACTION
> EAP: getDecision: another method available -> CONTINUE
> EAP: EAP entering state PROPOSE_METHOD
> EAP: getNextMethod: vendor 0 type 13
> EAP: EAP entering state METHOD_REQUEST
> EAP: building EAP-Request: Identifier 104
> EAP: EAP entering state SEND_REQUEST
> EAP: eapReqData -> EAPOL - hexdump(len=6): 01 68 00 06 0d 20
> EAP: EAP entering state IDLE
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state REQUEST
> IEEE 802.1X: Sending EAP Packet to 00:0b:6b:80:c8:8e (identifier 104)
> TX EAPOL - hexdump(len=24): 00 0b 6b 80 c8 8e 00 15 6d 63 a6 45 88 8e 02
> 00 00 06 01 68 00 06 0d 20
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 10 bytes from 00:0b:6b:80:c8:8e
>    IEEE 802.1X: version=2 type=0 length=6
>    EAP: code=2 identifier=104 length=6 (response)
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: received EAP packet (code=2
> id=104 len=6) from STA: EAP Response-Nak (3)
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state RESPONSE
> EAP: EAP-Response received - hexdump(len=6): 02 68 00 06 03 00
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> EAP: EAP entering state RECEIVED
> EAP: parseEapResp: rxResp=1 respId=104 respMethod=3 respVendor=0
> respVendorMethod=0
> EAP: EAP entering state NAK
> EAP: processing NAK (current EAP method index 1)
> EAP: configured methods - hexdump(len=64): 00 00 00 00 0d 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> EAP: list of methods supported by the peer - hexdump(len=1): 00
> EAP: new list of configured methods - hexdump(len=64): 00 00 00 00 0d 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00
> EAP: EAP entering state SELECT_ACTION
> *EAP: getDecision: no more methods available -> FAILURE*
> EAP: EAP entering state FAILURE
> EAP: Building EAP-Failure (id=104)
> EAP: eapReqData -> EAPOL - hexdump(len=4): 04 68 00 04
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state FAIL
> IEEE 802.1X: Sending EAP Packet to 00:0b:6b:80:c8:8e (identifier 104)
> TX EAPOL - hexdump(len=22): 00 0b 6b 80 c8 8e 00 15 6d 63 a6 45 88 8e 02
> 00 00 04 04 68 00 04
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state HELD
> madwifi_set_sta_authorized: addr=00:0b:6b:80:c8:8e authorized=0
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: unauthorizing port
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: authentication failed - EAP type:
> 0 (Unknown)
> ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: Supplicant used different EAP
> type: 3 (Nak)
> IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state IDLE
> IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
> (and inifinite loop with this message)
>
> It seems the fail is in the bold line, but I dont know why...
>
> Any idea about this? Does anybody get to set up this configuration?
> Thanks in  advance!
> Alicia
>
>
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/acc292c7/attachment.htm 



More information about the Hostap mailing list