Hostapd didn't ACK fragmented EAP-TLS frame
Olivier Cochard-Labbé
olivier
Wed Jan 21 02:51:52 PST 2015
Hi,
I'm using FreeBSD 11.0-CURRENT r277315 and meet a problem with my FreeBSD
Access Point on an EAP-TLS setup.
I've tested with hostapd 2.0 (included with FreeBSD) and hostapd 2.3 (from
the port) but I have the same problem:
During EAP-TLS authentication, the Authenticator (hostapd) correctly send
an EAP fragmented "Server Hello, Certificate, Certificate Request" message
to the supplicant.
The supplicant (MS Windows native client) correctly ACK each of theses
fragmented EAP packets with an empty EAP-TLS packet.
Once the supplicant re-assemble the full EAP Certificate request from the
Authenticator, it send a response (EAP fragmented too).
But hostapd never ACK this first fragmented packet received from the
supplicant
=> Then the authentication phase time out.
I've tried with 3 different wireless card:
- Atheros 9280 (ath driver)
- Atheros AR2425 (ath driver)
- Ralink RT2573 (rum driver)
And all these have the same problem (not a chipset or driver problem).
Here is a tcpdump text-export of an exchange (done on the hostapd):
- D-Link_58:79:3e is the AP (authenticator)
- GemtekTe_35:8c:70 is the wireless-client (supplicant)
No. Time Source Destination Protocol
Length Info
21 21.497272 D-Link_58:79:3e GemtekTe_35:8c:70 EAP
23 Request, Identity
22 21.541316 GemtekTe_35:8c:70 D-Link_58:79:3e EAPOL
19 Start
23 21.542460 D-Link_58:79:3e GemtekTe_35:8c:70 EAP
23 Request, Identity
24 21.544299 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
60 Response, Identity
25 21.547151 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
60 Response, Identity
26 21.615532 D-Link_58:79:3e GemtekTe_35:8c:70 EAP
24 Request, TLS EAP (EAP-TLS)
27 21.622288 GemtekTe_35:8c:70 D-Link_58:79:3e SSL
125 Client Hello
28 21.691433 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1
1314 Server Hello, Certificate, Certificate Request, Server Hello Done
29 21.694861 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
24 Response, TLS EAP (EAP-TLS)
30 23.594184 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1
1314 Server Hello, Certificate, Certificate Request, Server Hello Done
31 23.596294 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
24 Response, TLS EAP (EAP-TLS)
32 23.664337 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1
1314 Server Hello, Certificate, Certificate Request, Server Hello Done
33 23.668877 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
24 Response, TLS EAP (EAP-TLS)
34 23.732970 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1
272 Server Hello, Certificate, Certificate Request, Server Hello Done
35 23.743648 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
1510 Response, TLS EAP (EAP-TLS)
And here here the detail of this last frame 35:
No. Time Source Destination Protocol
Length Info
35 23.743648 GemtekTe_35:8c:70 D-Link_58:79:3e EAP
1510 Response, TLS EAP (EAP-TLS)
Frame 35: 1510 bytes on wire (12080 bits), 1510 bytes captured (12080 bits)
Ethernet II, Src: GemtekTe_35:8c:70 (20:10:7a:35:8c:70), Dst:
D-Link_58:79:3e (00:21:91:58:79:3e)
Destination: D-Link_58:79:3e (00:21:91:58:79:3e)
Source: GemtekTe_35:8c:70 (20:10:7a:35:8c:70)
Type: 802.1X Authentication (0x888e)
802.1X Authentication
Version: 802.1X-2001 (1)
Type: EAP Packet (0)
Length: 1492
Extensible Authentication Protocol
Code: Response (2)
Id: 9
Length: 1492
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0xc0
1... .... = Length Included: True
.1.. .... = More Fragments: True
..0. .... = Start: False
EAP-TLS Length: 3524
=> it's a fragmented EAP-TLS (Lenght: 3524, More Fragment set).
Then once this first fragment received, hostapd should ACK this fragment by
an empty EAP-TLS frame... but it didn't send it.
I've checked the eap_server/eap_server_tls common.c file and see lot's of
wpa_printf() regarding EAP-TLS and SSL that can help me to debug it. But I
didn't reach to enable this debug mode (event by starting hostapd with -dd).
How to display theses EAP-TLS/SSL debug messages ?
Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150121/94d3cea2/attachment-0001.htm>
More information about the Hostap
mailing list