applying openssl patch for EAP-FAST support
Paresh Sawant
paresh.sawant
Tue Nov 4 04:35:51 PST 2008
I'm using eapol_test (radius client) against hostapd (radius server) to test
EAP-FAST authentication.
With "fast_provisioning=1", I'm able to generate the PAC. Using the PAC I'm
trying to get TLS phase done, but since opaque is invalid, server proposes
the certificate based authentication.
Client sends TLS alert "unexpected message" in response to server hello. The
Log looks like as follows-
<---------------START--------------------->
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=2 len=1403) from RADIUS server:
EAP-Request-FAST (43)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=43 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=1403) - Flags 0xc1
SSL: TLS Message Length: 1791
SSL: Need 398 bytes more input data
SSL: Building ACK (type=43 id=2 ver=1)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 2b 01
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=119
Attribute 1 (User-Name) length=6
Value: 'user'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 02 00 06 2b 01
Attribute 24 (State) length=6
Value: 00 00 00 00
Attribute 80 (Message-Authenticator) length=18
Value: b5 12 8c f7 f5 9f a1 35 dd a6 96 d4 89 bc 91 5d
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 452 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=2 length=452
Attribute 24 (State) length=6
Value: 00 00 00 00
Attribute 79 (EAP-Message) length=255
Value: 01 03 01 94 2b 01 51 63 9c 55 c8 64 bc 71 e8 8d 9c 4c 25 eb 03
79 d8 56 9f 07 81 b3 fd 64 db 68 7f 67 74 2e db 57 38 50 42 a8 51 64 64 88
c8 36 7f eb 17 65 12 24 a6 52 ca ec ea 63 ce 52 be ae 74 33 fd ae 05 77 82
cd 16 a0 0f bf 8c d0 8d 5e ef 5a c0 00 dd 09 1e 71 5d 2c d4 8a 73 d8 46 3a
b0 20 18 22 ba 30 cd 88 e2 55 a3 32 f3 e9 0c 95 08 4c eb f9 0a dd e9 5a 05
5b 7f 17 77 0a 05 cd 41 3f 6f 53 00 01 02 00 80 bb 62 dc b8 20 64 bb ff 47
b1 f3 12 cc 2d 69 4b ea 7d 3d 8c 57 eb b0 ba d9 cc e5 05 d2 24 ed eb 0d 12
8d 6e e1 76 9b e0 cb ea d3 64 c0 43 b3 c4 ac 57 a9 0d 32 fa 26 b6 28 8f 88
d3 62 7e 73 79 c1 09 53 03 9a ba 5d 87 48 42 b2 34 b3 68 ce 85 b5 48 1e c5
ec 43 83 96 42 3f 93 c3 ae a2 4d 1a 65 62 f9 ca 9c 74 4a 9c 34 a9 31 4d 1d
4b 9a 74 1f ca 5f 44
Attribute 79 (EAP-Message) length=153
Value: 66 d9 81 aa b8 13 ce 95 22 13 89 9b 00 80 5a 07 cf 23 64 24 0b
23 10 0d 2f 03 2f 94 12 7f 9a 14 22 ca 51 aa 55 74 0c 49 06 a1 58 b8 cd 47
5d 53 91 c3 f5 c5 fc da a4 5b 17 23 8f 4f c5 83 7e 85 a7 b3 5a 91 6a a8 8a
85 97 87 2b 22 df 83 7e ee 68 0b bf 30 97 de a6 d4 28 31 d5 60 7c 5c 8a 0b
52 df 90 71 a0 22 a3 31 1d a5 51 1e a1 99 e9 82 28 48 f1 cc a4 1d dc 3d 0c
4f 21 39 9b 30 b3 a3 b8 ff fc 45 fe 34 93 0c e0 88 34 a7 25 30 16 03 01 00
04 0e 00 00 00
Attribute 80 (Message-Authenticator) length=18
Value: 84 99 6c 5a 96 74 1a 1d dd 10 1b 51 db 8a 0b e1
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.02 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=3 len=404) from RADIUS server:
EAP-Request-FAST (43)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=3 method=43 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=404) - Flags 0x01
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket - hexdump(len=0): [NULL]
EAP-FAST: client_random - hexdump(len=32): 49 10 40 5c 14 39 c4 0b 71 21 05
3a 13 1e 8b c1 33 a1 b6 f4 1c e2 ab 09 d5 3f c3 17 16 a5 3f 78
EAP-FAST: server_random - hexdump(len=32): 49 10 8d 4b cc 7d 9c ae f5 a5 f2
d9 e8 c5 6f 56 76 c2 68 32 9d c7 b0 6c 5f eb 64 da 23 41 be 57
EAP-FAST: master_secret - hexdump(len=48): 14 12 42 68 b8 cc 48 09 cd 92 eb
26 bd a7 b5 b1 5c a2 72 09 97 b6 1b fb fd 07 ea 80 fe ea 89 0c e6 ba 3a e0
95 f8 ea 24 e5 d4 5b 9f 8e 78 d2 f1
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
SSL: (where=0x4008 ret=0x20a)
SSL: SSL3 alert: write (local SSL3 detected an
error):fatal:unexpected_message
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read finished A
OpenSSL: tls_connection_handshake - SSL_connect error:1408E0F4:SSL
routines:SSL3_GET_MESSAGE:unexpected message
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
<---------------END--------------------->
Thanks
- Paresh
On Fri, Oct 31, 2008 at 7:10 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Oct 21, 2008 at 12:36:13PM +0530, Paresh Sawant wrote:
> > I tried with 0.6.4 binary too instead of building it myself, but it too
> > failed.
> >
> > I have attached here captured EAP messages by ethereal on windows (Please
> > open it using ethereal).
>
> The ClientHello looks fine to me.. How have you configured hostapd for
> anonymous DH? I.e., what is set in dh_file parameter and how did you
> create the DH parameters file?
>
> --
> Jouni Malinen PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20081104/3eb3dbf4/attachment.htm
More information about the Hostap
mailing list