Karl Rothenhöfer Karl.Rothenhoefer
Sat Jul 24 01:28:47 PDT 2004

Hello Jouni,

thank you for your very quick response. It triggered some more extensive
investigations of myself. That is why I took me a bit more time to respond.
The result of my investigations (right or wrong?)currently is:
- Radius receives the users request and sends an MD5 challenge.
- User receives an MD5 challenge and sends a Nak
- Nak does not seem to arrive at Radius (discarded in hostapd?)
- Radius receives next request from user or is it the Nak?
This sequence runs in an infinite loop.
With my current knowledge it looks as if windows xp (the user's OS) has no
longer been able to process MD5 since SP1 (neither initiate authentication
requests nor handle challenges), and my PC uses SP1. This may explain the
Nak and hence the failure of the authentication. The help of anybody
experienced in this area would be appreciated.

May I say here, that it is fun to work with hostap, because it seems
absolutely stable for my purposes (ALL0192 and very old Longshine).


-----Urspr?ngliche Nachricht-----
Von: at
[ at]Im
Auftrag von Jouni Malinen
Gesendet: Freitag, 23. Juli 2004 06:03
An: hostap at
Betreff: Re: EAP

On Thu, Jul 22, 2004 at 11:29:35PM +0200, Karl Rothenh?fer wrote:

> Xeron:/etc/init.d # /etc/init.d/hostapd /etc/hostapd.conf
> Configuration file: /etc/hostapd.conf
> Using interface wlan1ap with hwaddr 00:02:dd:34:b6:7d and ssid 'test'
> wlan1: RADIUS Authentication server
> Flushing old station entries
> Deauthenticate all stations
> Data frame from not associated STA 00:0a:e9:05:48:05
> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.11: authenticated
> wlan1: STA 00:0a:e9:05:48:05 IEEE 802.11: associated (aid 1)
> EAP Identifier of the Response-Identity from 00:0a:e9:05:48:05 does not
> match (was 126, expected 127)

Could you please enable more debugging by using following configuration
in hostapd.conf?


> What is EAP Identifier?

It is one of the fields in the EAP packet header and it is used to match
replies to requests.

> How can a mismatch of 1 be caused?

In most cases, this is caused by EAP session starting generating two EAP
Request-Identity packets (one from Authenticator immediately after
association and another as a reply to Supplicant's EAPOL-Start).
Authenticator is dropping one of the EAP Response-Identity packets and
authentication should continue without problems. Your debug log did not
have enough details to determine what was causing the authentication not
to succeed.

Jouni Malinen                                            PGP id EFC895FA
HostAP mailing list
HostAP at

More information about the Hostap mailing list