EAP-FAST error with Cisco ACS 5.2 and wpa_supplicant 0.6.9, not seen with Cisco ACS 4.1

Gulick Tom-WPD384 Tom.Gulick
Mon Nov 12 10:55:58 PST 2012

On my ACS4.1 set-up I can get the same MSCHAPv2 error by just giving it a bad password so that seems to be the issue.


-----Original Message-----
From: hostap-bounces at lists.shmoo.com [mailto:hostap-bounces at lists.shmoo.com] On Behalf Of Jouni Malinen
Sent: Sunday, November 11, 2012 9:38 AM
To: hostap at lists.shmoo.com
Subject: Re: EAP-FAST error with Cisco ACS 5.2 and wpa_supplicant 0.6.9, not seen with Cisco ACS 4.1

On Thu, Nov 08, 2012 at 03:59:42PM +0000, Gulick Tom-WPD384 wrote:
> We see an error during the PAC provisioning phase of an EAP-FAST connection with Cisco ACS 5.2 that we don't see with Cisco ACS 4.1.

I don't have Cisco ACS 5.2, so I cannot easily verify this behavior
myself. Anyway, the log seems to indicate authentication failure (e.g.,
incorrect password in MSCHAPv2):

> With ACS 5.2, we get this in the supplicant log:

> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Received Phase 2: TLV type 9 length 57 (mandatory)
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Phase 2 Request: type=26
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: RX identifier 246 mschapv2_id 245
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: Received failure
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: error 691
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: retry is allowed
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: password changing protocol version 3
> 2012-11-07 09:47:59 [ APCT][Warn] EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)

That error 691 is allocated for indicating authentication failures.
Assuming you have verified that the username/password is valid, this
could be caused by some other failures during the authentication step.
Could you please send full wpa_supplicant debug log showing the EAP-FAST
authentication attempt from the beginning to this point? Do you have
access to the ACS server? If so, it would be good to take a look at its
logs to determine the reason for rejecting MSCHAPv2 authentication.

Jouni Malinen                                            PGP id EFC895FA
HostAP mailing list
HostAP at lists.shmoo.com

More information about the Hostap mailing list