EAP-FAST: authenticated provisioning failure on Cisco ACS 5.4
Nakashima Akihiro
Nakashima.Akihiro
Wed Apr 29 18:09:22 PDT 2015
Thank you for your reply.
> What is this specific order of TLVs based on? I did not find anything
> in RFC 4851 describing a requirement of Intermediate-Result TLV being
> before Crypto-Binding TLV in the message. Taken into account how those
> TLVs are calculated, there is no difference in their payload
> regardless of in which order they happen to be included.
(4.2.7. Intermediate-Result TLV)
An Intermediate-Result TLV indicating success
MUST be accompanied by a Crypto-Binding TLV
(4.2.8. Crypto-Binding TLV)
The Crypto-Binding TLV MUST be included with the Intermediate-Result
TLV to perform Cryptographic Binding after each successful EAP method
in a sequence of EAP methods.
It seems that these sentences imply the order of Intermediate-Result TLV to Crypto-Binding TLV for me.
But as I am not Cisco engineer, we have no idea what Cisco implement ACS and why this error message shown.
Anyway I prepared the full debug log files that both of with/without your workaround patch.
The patch worked fine for ACS 5.4 both of anonymous/authenticated provisioning.
Thank you for kindly provide patches.
http://pastebin.com/tNjuj9YT
-> without workaround patch, anonymous provisioning (Success)
http://pastebin.com/rHq8Ga0s
-> without workaround patch, authenticated provisioning (Failure)
http://pastebin.com/VmeKkkL2
-> with workaround patch, anonymous provisioning (Success)
http://pastebin.com/ffmqqF5h
-> with workaround patch, authenticated provisioning (Success)
If you have any request for me, please feel free to ask.
Thank you.
--
Best Regards,
Akihiro Nakashima
More information about the Hostap
mailing list