Trouble getting eap_server=1 to run: "Supplicant used different EAP type: 1 (Identity)"
Jouni Malinen
j at w1.fi
Fri Jul 22 10:01:08 PDT 2016
On Wed, Jul 20, 2016 at 03:13:25PM +0200, Linus Lüssing wrote:
> I'm currently trying to get a hostapd v2.3 running for WPA-EAP on
> a Debian unstable (kernel 4.6). I am trying to connect with a Nokia N900
> (OS: Linux/Maemo) which unfortunately always results in the lines:
>
> wlan0: STA 00:0d:d5:8c:7a:97 IEEE 802.1X: authentication failed - EAP type: 0 ((null))
> wlan0: STA 00:0d:d5:8c:7a:97 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)
This indicates that authentication failed very early after the identify
exchange (in processing TLS ClientHello based on the logs in this email
thread).
> On the N900 GUI I have selected the following options:
>
> -----
> EAP Type: TTLS
> Certificate: None
> EAP Methode: EAP-MSCHAPv2
> User: testuser
> Password: testpw
> -----
>
> On the hostapd side, eap_user.conf looks like this:
>
> -----
> "testuser" TTLS
> "testuser" TTLS-MSCHAPV2 "testpw" [2]
This does not match the client side configuration. TTLS-MSCHAPV2 is the
non-EAP version of MSCHAPV2 with EAP-TTLS while the client side has been
configured to use the EAP-version of MSCHAPV2 within EAP-TTLS. This will
fail authentication, but that would happen number of messages later than
the earlier issue you are seeing now..
> PS: The following combinations did not work either, they resulted
> in the same output and error on the hostapd side:
>
> -----
> N900: EAP Type: TTLS; EAP Methode: MSCHAPv2 (instead of "EAP-MSCHAPv2")
> eap_user.conf: phase1 -> TTLS, phase2 -> TTLS-MSCHAPV2
This has matching configuration.
> N900: EAP Type: TTLS; EAP Methode: EAP-MSCHAPv2 (or just "MSCHAPv2")
> eap_user.conf: phase1 -> TTLS, phase2 -> MSCHAPV2 (instead of "TTLS-MSCHAPV2")
So does this.
> N900: EAP Type: PEAP; EAP Methode: EAP-MSCHAPv2
> eap_user.conf: phase1 -> PEAP, phase2 -> MSCHAPv2
And this.
Anyway, the earlier issue with TLS ClientHello prevents you from hitting
the place where the failures related to the Phase 2 (authentication
within the TLS tunnel) of EAP-TTLS.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list