Help with EAP-TTLS/EAP-MD5

Ivan Sanchez Valencia isanchez
Sun Jul 4 09:58:08 PDT 2004 

Hello,

I configured FreeRADIUS + hostapd for EAP-TLS and with a wpa_supplicant client, all works fine.

I have version 0.2.2 of hostapd, 0.2.3 of wpa_supplicant, FreeRADIUS v1.0.0-pre3 and wireless cards with 1.7.1 firmware.

Now I'm trying to configure EAP-TTLS/EAP-MD5. I do this changes:

In eap.conf
-----------
eap {
  default_eap_type = ttls
  tls {
    # I don't change anything here, it's like with EAP-TLS config
    # I only commented this line
    #check_cert_cn = %{User-Name}
  }
  ttls {
    default_eap_type = md5
    copy_request_to_tunnel = no
    use_tunneled_reply = no
  }
  ...
}

In users
--------

anonimo  Auth-Type := EAP
user     Auth-Type := Local, User-Password == "secret"

And in wpa_supplicant.conf in client machine
--------------------------------------------

network={
  ssid="net"
  key_mgmt=WPA-EAP
  eap=TTLS
  identity="user"
  anonymous_identity="anonimo"
  password="secret"
  ca_cert="/etc/cert/root.ca"
}

In hostapd.conf I not change anything.

And when I start FreeRADIUS, hostapd and wpa_supplicant, I get this messages:

==> /usr/local/var/log/radius/radius.log <==
Sun Jul  4 18:50:56 2004 : Error:     TLS_accept:error in SSLv3 read client certificate A
Sun Jul  4 18:50:56 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Sun Jul  4 18:50:56 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Sun Jul  4 18:50:56 2004 : Info:     (other): SSL negotiation finished successfully
Sun Jul  4 18:50:56 2004 : Auth: Login incorrect: [user/<no User-Password attribute>] (from client localhost port 0)
Sun Jul  4 18:50:56 2004 : Auth: Login incorrect: [anonimo/<no User-Password attribute>] (from client machine.domain.com
port 1 cli XX-XX-XX-XX-XX-XX)

------------

And in wpa_supplicant output:

...
EAP-TTLS: TLS done, proceed to Phase 2
...
EAP: using real identity - hexdump_ascii(len=4):
     75 73 65 72                                       user
EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=9): 02 05 00 09 01 75 73 65 72
EAP-TTLS: Encrypting Phase 2 data - hexdump(len=20): 00 00 00 4f 40 00 00 11 02 05 00 09 01 75 73 65 72 00 00 00
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
WPA: EAPOL frame too short, len 73, expecting at least 99
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=114): 00 50 c2 10 92 66 00 90 d1 08 58 e1 88 8e 01 00 00 60 02 05 00 60 15 00 17 03 01 00 20 70
04 62 ca 03 76 c6 51 23 3c 0d 6b ec b8 fd f2 fe c3 54 65 a6 b5 e8 24 34 9e 7a b6 de 9d a9 56 17 03 01 00 30 3c 1a e0 3c
0e 94 19 e0 6a f8 4d e2 a0 35 8b 84 ae d0 10 c6 b2 28 20 62 2d 20 92 58 3d c9 7e 5e 04 63 7c 99 64 a5 8e 60 2b df bd 08
12 69 fb 5f
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: Port Timers tick - authWhile=29 heldWhile=0 startWhen=28 idleWhile=59
RX EAPOL from 00:50:c2:10:92:66
RX EAPOL - hexdump(len=8): 01 00 00 04 04 05 00 04
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
...

----------------------------

What I doing wrong???


Ivan.


--

               "I didn't know it was impossible when I did it."

        ---------------------------------------------------------------
         Iv?n S?nchez Valencia
         Email: isanchez at piltrafa.dhis.org
         PGP public key: http://www.piltrafa.dhis.org/pubkey.asc
        ---------------------------------------------------------------

More information about the Hostap mailing list