how to config the eap FAST with hostapd?

Zhang Ying yudaqu
Thu Feb 9 00:52:17 PST 2012


My hostapd version is 0.6.10, and i want to use hostapd as integrated EAP
server, and support EAP FAST.

my hostapd config file is like this:


bridge=br0
interface=ath0
driver=atheros
ssid=wififast
ieee8021x=1
eap_server=1
eap_user_file=/fasttest/
hostapd.eap_user
ca_cert=/test/ca.pem
server_cert=/test/server.pem
private_key=/test/server.p12
private_key_passwd=123456
dh_file=/test/dh
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
eap_fast_a_id_info=fast
eap_fast_prov=3
pac_key_lifetime=604800
pac_key_refresh_time=86400
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_preauth=1
rsn_preauth_interfaces=br0


My hostapd.eap_user is :
"client_fast"       FAST
"client_fast"       MSCHAPV2   "123456"         [2].


when i use my wifi card connect to the ssid "wififast", it always failed.
This is my hostapd log file:


[--WIFI---]:Association(00:25:86:21:05:05)

ath0: STA 00:25:86:21:05:05 WPA: event 1 notification
madwifi_del_key: addr=00:25:86:21:05:05 key_idx=0


ath0: STA 00:25:86:21:05:05 IEEE 802.1X: start authentication
EAP: Server state machine created
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state IDLE
IEEE 802.1X: 00:25:86:21:05:05 CTRL_DIR entering state FORCE_BOTH
ath0: STA 00:25:86:21:05:05 WPA: start authentication

WPA: 00:25:86:21:05:05 WPA_PTK entering state INITIALIZE
madwifi_del_key: addr=00:25:86:21:05:05 key_idx=0
WPA: 00:25:86:21:05:05 WPA_PTK_GROUP entering state IDLE
WPA: 00:25:86:21:05:05 WPA_PTK entering state AUTHENTICATION
WPA: 00:25:86:21:05:05 WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:25:86:21:05:05 AUTH_PAE entering state DISCONNECTED
madwifi_set_sta_authorized: addr=00:25:86:21:05:05 authorized=0
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:25:86:21:05:05 AUTH_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 231
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:25:86:21:05:05 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:25:86:21:05:05 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state REQUEST
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: Sending EAP Packet (identifier 231)
TX EAPOL - hexdump(len=23): 00 25 86 21 05 05 00 25 7a 16 02 0f 88 8e 02 00
00 05 01 e7 00 05 01
IEEE 802.1X: 20 bytes from 00:25:86:21:05:05
  IEEE 802.1X: version=1 type=0 length=16
EAP: code=2 identifier=231 length=16
(response)
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: received EAP packet (code=2 id=231
len=16) from STA: EAP Response-Identity (1)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=231 respMethod=1 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=11):
    63 6c 69 65 6e 74 5f 66 61 73 74                  client_fast
EAP: EAP entering state SELECT_ACTION

EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 43
OpenSSL: cipher suites:
ADH-AES128-SHA:AES128-SHA:DHE-RSA-AES128-SHA:EAP(ath0[Authed]), Src Mac =
00:25:86:21:05:05 Dst Mac = 00:25:7a:16:02:0f
RC4-SHA
EAP: EAIs peap[0]
P entering stateEAP(br0[Authed]), Src Mac = 00:25:86:21:05:05 Dst Mac =
00:25:7a:16:02:0f
METHOD_REQUEST
EAP: building EAP-Request: Identifier 232
EAP-FAST: START -> PHASE1
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state REQUEST
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: Sending EAP Packet (identifier 232)

IEEE 802.1X: 172 bytes from 00:25:86:21:05:05
  IEEE 802.1X: version=1 type=0 length=168
EAP: code=2 identifier=232 length=168
(response)
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: received EAP packet (code=2 id=232
len=168) from STA: EAP Response-FAST (43)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=232 respMethod=43 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=168) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:before/accept initialization
OpenSSL: tls_hello_ext_cb: type=35 length=68
OpenSSL: ClientHello SessionTicket extension - hexdump(len=68): 00 02 00 40
1f 09 04 32 c6 b4 57 be ac 31 e2 54 f9 66 d8 2d 01 d7 ad 62 2f 26 4b 9e b9
d7 39 47 fc 78 b0 67 d1 e7 f4 d8 0b bf 0c 4f 57 9a 3e 71 99 5b dc 12 03 8c
e9 40 f2 43 f2 35 78 23 9b 0f 53 92 df da
EAP-FAST: SessionTicket callback
EAP-FAST: SessionTicket (PAC-Opaque) - hexdump(len=68): 00 02 00 40 1f 09
04 32 c6 b4 57 be ac 31 e2 54 f9 66 d8 2d 01 d7 ad 62 2f 26 4b 9e b9 d7 39
47 fc 78 b0 67 d1 e7 f4 d8 0b bf 0c 4f 57 9a 3e 71 99 5b dc 12 03 8c e9 40
f2 43 f2 35 78 23 9b 0f 53 92 df da
EAP-FAST: Received PAC-Opaque - hexdump(len=64): 1f 09 04 32 c6 b4 57 be ac
31 e2 54 f9 66 d8 2d 01 d7 ad 62 2f 26 4b 9e b9 d7 39 47 fc 78 b0 67 d1 e7
f4 d8 0b bf 0c 4f 57 9a 3e 71 99 5b dc 12 03 8c e9 40 f2 43 f2 35 78 23 9b
0f 53 92 df da
EAP-FAST: Decrypted PAC-Opaque - hexdump(len=56): [REMOVED]
EAP-FAST: PAC-Key from decrypted PAC-Opaque - hexdump(len=32): [REMOVED]
EAP-FAST: Identity from PAC-Opaque - hexdump_ascii(len=11):
    63 6c 69 65 6e 74 5f 66 61 73 74                  client_fast
EAP-FAST: client_random - hexdump(len=32): 4f 33 87 11 35 42 32 e9 18 46 a0
f3 c5 7e 38 2c f9 c4 7a 1e 33 37 2b 01 d7 38 7f ff 2a 4f 5a a8
EAP-FAST: server_random - hexdump(len=32): 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAP-FAST: master_secret - hexdump(len=48): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 read client hello A
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 write server hello A
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 write change cipher spec A
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 write finished A
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 flush data
SSL: (where=0x2002 ret=0xffffffff)
SSL: SSL_accept:error in SSLv3 read finished A
SSL: SSL_accept - want more data
SSL: 138 bytes pending from ssl_out
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 233
SSL: Generating Request
SSL: Sending out 138 bytes (message sent completely)
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state REQUEST
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: Sending EAP Packet (identifier 233)

TX EAPOL - hexdump(len=162): 00 25 86 21 05 05 00 25 7a 16 02 0f 88 8e 02
00 00 90 01 e9 00 90 2b 01 16 03 01 00 4a 02 00 00 46 03 01 38 6d 45 af 39
c1 f4 52 3c 52 a6 b9 aa d3 46 85 a0 67 eb 44 a4 fa 86 a0 44 59 e9 36 69 9f
da 26 20 d1 ac e5 0b 6e f9 c5 45 9c 66 36 fd f4 75 48 9a 41 35 e8 ec 18 94
a8 92 a7 ce ca 7b c0 e1 60 32 00 33 00 14 03 01 00 01 01 16 03 01 00 30 7d
e4 dd 93 6d 60 29 61 8f 29 bd 9a cc 37 be dc 2d 86 ae 8b 2a ba c7 3d aa 10
c8 61 a0 b2 60 3b df 05 31 ec 43 62 69 82 3d 34 e8 d9 31 ea 8b 79


IEEE 802.1X: 17 bytes from 00:25:86:21:05:05
  IEEE 802.1X: version=1 type=0 length=13
EAP: code=2 identifier=233 length=13
(response)
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: received EAP packet (code=2 id=233
len=13) from STA: EAP Response-FAST (43)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=233 respMethod=43 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=13) - Flags 0x01
SSL: Received packet: Flags 0x1 Message Length 0
SSL: (where=0x4004 ret=0x214)
SSL: SSL3 alert: read (remote end reported an error):fatal:bad record mac
SSL: (where=0x2002 ret=0x0)
SSL: SSL_accept:failed in SSLv3 read finished A
OpenSSL: tls_connection_server_handshake - SSL_accept error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac
SSL: TLS processing failed
EAP-FAST: TLS processing failed
EAP-FAST: PHASE1 -> FAILURE
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=233)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state FAIL
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: Sending EAP Packet (identifier 233)

TX EAPOL - hexdump(len=22): 00 25 86 21 05 05 00 25 7a 16 02 0f 88 8e 02 00
00 04 04 e9 00 04
IEEE 802.1X: 00:25:86:21:05:05 AUTH_PAE entering state HELD
madwifi_set_sta_authorized: addr=00:25:86:21:05:05 authorized=0
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: unauthorizing port
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: authentication failed - EAP type:
0 (Unknown)
ath0: STA 00:25:86:21:05:05 IEEE 802.1X: Supplicant used different EAP
type: 43 (FAST)
IEEE 802.1X: 00:25:86:21:05:05 BE_AUTH entering state IDLE

Wireless event: cmd=0x8c04 len=20
ath0: STA 00:25:86:21:05:05 IEEE 802.11: disassociated
ath0: STA 00:25:86:21:05:05 WPA: event 2 notification
madwifi_del_key: addr=00:25:86:21:05:05 key_idx=0


WPA: 00:25:86:21:05:05 WPA_PTK entering state DISCONNECTED



And?hostapd exit after print all of that messages.
why it can not work? can anyone help me?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120209/aba2e121/attachment-0001.htm 



More information about the Hostap mailing list