EAP-TLS + WPA: no reply from AP

Nicolas Courtel courtel
Thu Apr 15 08:33:46 PDT 2010 

Hello all,

I'm trying to connect to an EAP-TLS + WPA network, using wpasupplicant 
0.6.10 on Debian testing, and seem to get no reply from the access point.
As there is no SSL information in the output of wpasupplicant, I suppose 
that it's at least part of the problem, but I can't figure out what's 
going on from the informations I got so far (man, FAQ, list archives, 
...). So it would be nice if someone could give me a clue about what 
I've done wrong.

The config file is the following:


ctrl_interface=/var/run/wpa_supplicant

network={
    ssid="Wifi-DTI"
    scan_ssid=1
    key_mgmt=WPA-EAP
    pairwise=CCMP
    group=CCMP
    eap=TLS
    identity="tortu.tls.cena.fr"
    ca_cert="/etc/ssl/certs/DTI_RootCA.pem"
    client_cert="/etc/ssl/private/tortu.pem"
    private_key="/etc/ssl/private/tortu.pem"
    private_key_passwd="********"
}

The file tortu.pem contains both the certificate and the private key for 
the the host tortu.tls.cena.fr.
And the output with -dd is the following; after the last line, it waits 
for a while, then starts again, untils it quits.


Initializing interface 'wlan0' conf '/etc/wpa_supplicant/wpa.conf' 
driver 'default' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa.conf' -> 
'/etc/wpa_supplicant/wpa.conf'
Reading configuration file '/etc/wpa_supplicant/wpa.conf'
ctrl_interface='/var/run/wpa_supplicant'
Line: 14 - start of a new network block
ssid - hexdump_ascii(len=8):
     57 69 66 69 2d 44 54 49                           Wifi-DTI       
scan_ssid=1 (0x1)
key_mgmt: 0x1
pairwise: 0x10
group: 0x10
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 
00 00
identity - hexdump_ascii(len=17):
     74 6f 72 74 75 2e 74 6c 73 2e 63 65 6e 61 2e 66   tortu.tls.cena.f
     72                                                r              
ca_cert - hexdump_ascii(len=29):
     2f 65 74 63 2f 73 73 6c 2f 63 65 72 74 73 2f 44   /etc/ssl/certs/D
     54 49 5f 52 6f 6f 74 43 41 2e 70 65 6d            TI_RootCA.pem  
client_cert - hexdump_ascii(len=26):
     2f 65 74 63 2f 73 73 6c 2f 70 72 69 76 61 74 65   /etc/ssl/private
     2f 74 6f 72 74 75 2e 70 65 6d                     /tortu.pem     
private_key - hexdump_ascii(len=26):
     2f 65 74 63 2f 73 73 6c 2f 70 72 69 76 61 74 65   /etc/ssl/private
     2f 74 6f 72 74 75 2e 70 65 6d                     /tortu.pem     
private_key_passwd - hexdump_ascii(len=8): [REMOVED]
Priority group 0
   id=0 ssid='Wifi-DTI'
Initializing interface (2) 'wlan0'
Interface wlan0 set UP - waiting a second for the driver to complete 
initialization
SIOCGIWRANGE: WE(compiled)=22 WE(source)=14 enc_capa=0xf
  capabilities: key_mgmt 0xf enc 0xf flags 0x0
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:22:43:26:4b:2b
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
WPS: UUID based on MAC address - hexdump(len=16): 59 9e 03 ef 80 8d 53 
fb ad ca 9d d7 d5 f0 58 99
WPS: Build Beacon and Probe Response IEs
WPS:  * Version
WPS:  * Wi-Fi Protected Setup State (0)
WPS:  * Version
WPS:  * Wi-Fi Protected Setup State (0)
WPS:  * Response Type (2)
WPS:  * UUID-E
WPS:  * Manufacturer
WPS:  * Model Name
WPS:  * Model Number
WPS:  * Serial Number
WPS:  * Primary Device Type
WPS:  * Device Name
WPS:  * Config Methods (0)
WPS:  * RF Bands (3)
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Added interface wlan0
RTM_NEWLINK: operstate=0 ifi_flags=0x1002 ()
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
RTM_NEWLINK: operstate=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
RTM_NEWLINK: operstate=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
State: DISCONNECTED -> SCANNING
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=8):
     57 69 66 69 2d 44 54 49                           Wifi-DTI       
Trying to get current scan results first without requesting a new scan 
to speed up initial association
Failed to get scan results
Failed to get scan results - try scanning again
Setting scan request: 0 sec 0 usec
Starting AP scan (broadcast SSID)
Scan requested (ret=0) - scan timeout 5 seconds
EAPOL: disable timer tick
Scan timeout - try to get results
Received 1260 bytes of scan results (11 BSSes)
New scan results available
Selecting BSS from priority group 0
Try to find WPA-enabled AP
0: 00:1d:7e:a0:65:6a ssid='Wifi-DTI' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
   selected based on WPA IE
   selected WPA AP 00:1d:7e:a0:65:6a ssid='Wifi-DTI'
Trying to associate with 00:1d:7e:a0:65:6a (SSID='Wifi-DTI' freq=2457 MHz)
Cancelling scan request
WPA: clearing own WPA/RSN IE
Automatic auth_alg selection: 0x1
WPA: using IEEE 802.11i/D3.0
WPA: Selected cipher suites: group 16 pairwise 16 key_mgmt 1 proto 1
WPA: set AP WPA IE - hexdump(len=26): dd 18 00 50 f2 01 01 00 00 50 f2 
04 01 00 00 50 f2 04 01 00 00 50 f2 01 00 00
WPA: clearing AP RSN IE
WPA: using GTK CCMP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=24): dd 16 00 50 f2 01 01 00 
00 50 f2 04 01 00 00 50 f2 04 01 00 00 50 f2 01
No keys have been configured - skip key clearing
wpa_driver_wext_set_drop_unencrypted
State: SCANNING -> ASSOCIATING
wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
WEXT: Operstate: linkmode=-1, operstate=5
wpa_driver_wext_associate
wpa_driver_wext_set_psk
Setting authentication timeout: 10 sec 0 usec
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8b04 len=12
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8c07 len=52
AssocReq IE wireless event - hexdump(len=44): 00 08 57 69 66 69 2d 44 54 
49 01 08 82 84 8b 96 a4 b0 c8 ec dd 16 00 50 f2 01 01 00 00 50 f2 04 01 
00 00 50 f2 04 01 00 00 50 f2 01
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:1d:7e:a0:65:6a
Association info event
req_ies - hexdump(len=44): 00 08 57 69 66 69 2d 44 54 49 01 08 82 84 8b 
96 a4 b0 c8 ec dd 16 00 50 f2 01 01 00 00 50 f2 04 01 00 00 50 f2 04 01 
00 00 50 f2 01
WPA: set own WPA/RSN IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 
f2 04 01 00 00 50 f2 04 01 00 00 50 f2 01
State: ASSOCIATING -> ASSOCIATED
wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
WEXT: Operstate: linkmode=-1, operstate=5
Associated to a new BSS: BSSID=00:1d:7e:a0:65:6a
No keys have been configured - skip key clearing
Associated with 00:1d:7e:a0:65:6a
WPA: Association event - clear replay counter
WPA: Clear old PTK
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: enable timer tick
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=00:1d:7e:a0:65:6a
TX EAPOL - hexdump(len=4): 01 01 00 00
RX EAPOL from 00:1d:7e:a0:65:6a
RX EAPOL - hexdump(len=9): 01 00 00 05 01 00 00 05 01
Setting authentication timeout: 70 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=17):
     74 6f 72 74 75 2e 74 6c 73 2e 63 65 6e 61 2e 66   tortu.tls.cena.f
     72                                                r              
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=00:1d:7e:a0:65:6a
TX EAPOL - hexdump(len=26): 01 00 00 16 02 00 00 16 01 74 6f 72 74 75 2e 
74 6c 73 2e 63 65 6e 61 2e 66 72
EAPOL: SUPP_BE entering state RECEIVE
[...]
Authentication with 00:1d:7e:a0:65:6a timed out.
Added BSSID 00:1d:7e:a0:65:6a into blacklist

Thanks for your help,

-- 
Nicolas

More information about the Hostap mailing list