EAP-FAST: authenticated provisioning failure on Cisco ACS 5.4

Nakashima Akihiro Nakashima.Akihiro
Wed Apr 29 18:09:22 PDT 2015

Thank you for your reply.

> What is this specific order of TLVs based on? I did not find anything 
> in RFC 4851 describing a requirement of Intermediate-Result TLV being 
> before Crypto-Binding TLV in the message. Taken into account how those 
> TLVs are calculated, there is no difference in their payload 
> regardless of in which order they happen to be included.

  (4.2.7. Intermediate-Result TLV)
   An Intermediate-Result TLV indicating success
   MUST be accompanied by a Crypto-Binding TLV

  (4.2.8. Crypto-Binding TLV)
   The Crypto-Binding TLV MUST be included with the Intermediate-Result
   TLV to perform Cryptographic Binding after each successful EAP method
   in a sequence of EAP methods.

It seems that these sentences imply the order of Intermediate-Result TLV to Crypto-Binding TLV for me.
But as I am not Cisco engineer, we have no idea what Cisco implement ACS and why this error message shown.

Anyway I prepared the full debug log files that both of with/without your workaround patch.
The patch worked fine for ACS 5.4 both of anonymous/authenticated provisioning.
Thank you for kindly provide patches.

  -> without workaround patch, anonymous provisioning (Success)
  -> without workaround patch, authenticated provisioning (Failure) 

  -> with workaround patch, anonymous provisioning (Success)
  -> with workaround patch, authenticated provisioning (Success)

If you have any request for me, please feel free to ask.

Thank you.

Best Regards,
Akihiro Nakashima

More information about the Hostap mailing list