Could not get PMK
Jouni Malinen
j
Fri May 23 23:26:51 PDT 2008
On Fri, May 23, 2008 at 03:29:01PM -0500, David Dudley wrote:
> OK, I've attached my hostapd.conf file, and a log from the last time I
> tried to attach a remote with wpa_supplicant.
It looks like wpa_supplicant was configured to allow any EAP method and
FreeRADIUS ended up suggesting EAP-MD5 as the first alternative and that
method does not provide keying material (MSK / PMK) like Alan mentioned.
I would recommend picking one of the EAP methods and configure
wpa_supplicant only to allow that one to be used (eap-option in the
network block). If you want to use password to authenticate the client
device, you could use either EAP-PEAP or EAP-TTLS. Just remember to
configure ca_cert option in wpa_supplicant to point to a trusted CA
certificate in order to allow the client to authenticate the server,
too.
PS.
It looked like the hostapd configuration and maybe also wpa_supplicant
was set to allow WPA-Personal (PSK) to be used. Was that on purpose or
were you planning on using WPA-Enterprise (EAP) authentication for all
devices? If only EAP is going to be used, I would suggest disabling
WPA-PSK in the configuration. Similarly, if you know that all devices
support CCMP, you could disable TKIP as a pairwise cipher in the
configuration.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list