Trouble getting eap_server=1 to run: "Supplicant used different EAP type: 1 (Identity)"

Jouni Malinen j at w1.fi
Fri Jul 22 10:01:08 PDT 2016


On Wed, Jul 20, 2016 at 03:13:25PM +0200, Linus Lüssing wrote:
> I'm currently trying to get a hostapd v2.3 running for WPA-EAP on
> a Debian unstable (kernel 4.6). I am trying to connect with a Nokia N900
> (OS: Linux/Maemo) which unfortunately always results in the lines:
> 
>   wlan0: STA 00:0d:d5:8c:7a:97 IEEE 802.1X: authentication failed - EAP type: 0 ((null))
>   wlan0: STA 00:0d:d5:8c:7a:97 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)

This indicates that authentication failed very early after the identify
exchange (in processing TLS ClientHello based on the logs in this email
thread).

> On the N900 GUI I have selected the following options:
> 
> -----
> EAP Type: TTLS
> Certificate: None
> EAP Methode: EAP-MSCHAPv2
> User: testuser
> Password: testpw
> -----
> 
> On the hostapd side, eap_user.conf looks like this:
> 
> -----
> "testuser"      TTLS
> "testuser"      TTLS-MSCHAPV2   "testpw"        [2]

This does not match the client side configuration. TTLS-MSCHAPV2 is the
non-EAP version of MSCHAPV2 with EAP-TTLS while the client side has been
configured to use the EAP-version of MSCHAPV2 within EAP-TTLS. This will
fail authentication, but that would happen number of messages later than
the earlier issue you are seeing now..

> PS: The following combinations did not work either, they resulted
> in the same output and error on the hostapd side:
> 
> -----
> N900: EAP Type: TTLS; EAP Methode: MSCHAPv2 (instead of "EAP-MSCHAPv2")
> eap_user.conf: phase1 -> TTLS, phase2 -> TTLS-MSCHAPV2

This has matching configuration.

> N900: EAP Type: TTLS; EAP Methode: EAP-MSCHAPv2 (or just "MSCHAPv2")
> eap_user.conf: phase1 -> TTLS, phase2 -> MSCHAPV2 (instead of "TTLS-MSCHAPV2")

So does this.

> N900: EAP Type: PEAP; EAP Methode: EAP-MSCHAPv2
> eap_user.conf: phase1 -> PEAP, phase2 -> MSCHAPv2

And this.

Anyway, the earlier issue with TLS ClientHello prevents you from hitting
the place where the failures related to the Phase 2 (authentication
within the TLS tunnel) of EAP-TTLS.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list