WPA2 Enterprise PEAP MSCHAPv2 connection problem

Jouni Malinen j
Tue Nov 17 12:54:38 PST 2009

On Sun, Nov 15, 2009 at 05:49:13PM -0500, Alistair Tonner wrote:
> I'm trying (still) to connect to a corporate wifi installation that is 
> painless on winders and is based on (afaik) cisco AP's, and a connection
> to AD across RADIUS server(s)

>         eap=PEAP
>         identity="user.name at corp.win.domain"
>         anonymous_identity="user.name"

Have you tested this without the anonymous_identity parameter? Some PEAP
servers may not like the different identity used in Phase 1 and Phase 2.

>         ca_cert2="/etc/ssl/certs/cert_from_wisma_server.cer"
>         ca_path2="/etc/ssl/certs"
>         phase2="auth=MSCHAPV2"

Since you are not using EAP-TLS in phase2, the trusted CA configuration
should be for phase1, i.e., it would be either ca_cert or ca_path.
Please also note that you can only set one of the ca_cert or ca_path
options. Anyway, I do not think that this would be the reason for the
failure (but it would reduce the security since the current
configuration would not make the client verify the server certificate).

> The following is from a connection attempt with -d and I assume is
> telling me that something is broken, but I've no idea *what* is broken.

> EAP-PEAP: Encrypting Phase 2 data - hexdump(len=34):
> [REMOVED]                                                                                                          
> SSL: 90 bytes left to be sent out (of total 90
> bytes)                                                                                                                   

> dst=00:19:2f:32:29:20                                                                                                                                         

> RTM_NEWLINK: operstate=0 ifi_flags=0x1003
> ([UP])                                                                                                                        
> RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0'
> added                                                                                                                       
> Wireless event: cmd=0x8b15 len=24   
> <SNIP>

What happened after this? This event could be disconnect event, but the
log excerpt here is not long enough to confirm that.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list