PEAPv1(EAP-GTC) config with Cisco ACS

Ben Carbery ben.carbery
Wed Mar 4 14:49:59 PST 2009 

Hi,

I am trying to get wpa_supplicant going with this setup:

Linux Laptop (Thinkpad with iwl4965agn) -> Aruba AP -> Aruba Wireless
Controller -> Cisco ACS RADIUS server (terminates EAP)

It's PEAPv1 as the passwords need to be in clear text, not MSCHAP.  I have
this setup successfully working with Windows and Mac, so just trying to get
the wpa_supplicant config right. The best I can get is partial success, but
it's not clear why it's failing. I think I *may* be hitting this problem
fixed in v0.6.6:

2008-11-23 - v0.6.6
	* fixed canceling of PMKSA caching when using drivers that generate
	  RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
	  about
i.e. "RSN: no matching PMKID found" error

But my distro is still on 0.6.4. Can anyone confirm this is the
problem I am hitting? Also is my config correct for this setup?

Ben


---------------------------------------------------------------------------------------------------

# config

network={
        priority=4
        disabled=0
        ssid="WLAN-Secure"
        scan_ssid=1
        proto=WPA2
        key_mgmt=WPA-EAP
        ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"

        pairwise=CCMP
        group=CCMP
        eap=PEAP
        identity="u4399999"
        password="password"
        # guessing about the following..
        phase1="peap_outer_success=0 peaplabel=1"

        phase2="auth=GTC"
}

---------------------------------------------------------------------------------------------------

# wpa_cli status - cycles between the following several times

wintermute ~ # wpa_cli status
Selected interface 'wlan0'
bssid=00:1a:1e:11:e5:42
ssid=WLAN-Secure
id=0
pairwise_cipher=CCMP

group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=4WAY_HANDSHAKE
Supplicant PAE state=CONNECTING
suppPortStatus=Unauthorized
EAP state=IDLE

wintermute ~ # wpa_cli status
Selected interface 'wlan0'

bssid=00:1a:1e:97:02:71
ssid=WLAN-Secure
id=0
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=4WAY_HANDSHAKE
Supplicant PAE state=AUTHENTICATING
suppPortStatus=Unauthorized

EAP state=IDLE
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=
EAP-PEAPv1 Phase2 method=GTC

# Before the controller bars the client for number of attempts and settles on:

Selected interface 'wlan0'


wpa_state=DISCONNECTED
Supplicant PAE state=DISCONNECTED
suppPortStatus=Unauthorized
EAP state=DISABLED
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=
EAP-PEAPv1 Phase2 method=GTC

---------------------------------------------------------------------------------------------------

# connection logs

I had to remove these logs as my post got lost in moderator-land for
being to big, will update in next post if my config is correct.


B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090305/41a75f5a/attachment.htm

More information about the Hostap mailing list