hostapd 1.3.5, madwifi, internal EAP-PEAP/MSCHAPv2 w/ WinXP supplicant

Coert Vonk coert.vonk
Sat Feb 5 20:09:33 PST 2005 

I have been trying to get the following config working:
  - todays (2/5/2005 CVS) for madwifi and hostapd
  - Windows XP Pro SP2 client (802.1x, PEAP/MSCHAPv2)

The last debug messages show that it is sending an EAPoL, but it never
receives a reply.  My AP is an embedded (soekris-like) box with not
enough memory to spare for tcpdump.  I have not been able to find a
debug switch to enable debugging in WinXP.  I do see "invalid nwid"
count on the iwconfig, but I am not sure if this is related

IEEE 802.1X: 00:90:4b:2f:6e:d4 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:90:4b:2f:6e:d4 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:90:4b:2f:6e:d4 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:90:4b:2f:6e:d4 (identifier 194)
TX EAPOL - hexdump(len=23): 00 90 4b 2f 6e d4 00 02 6f 21 df ff 88 8e
02 00 00 05 01 c2 00 05 01
IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:90:4b:2f:6e:d4 Port Timers TICK (timers: 0 0 3599)

Can someone send a working configuration file for this?  Do I need
patches that are not in CVS yet?

thx,
/coert

> From: malk at sidehack.sat.gweep.net
> Subject: Success: hostapd 1.3.5, madwifi, internal EAP-PEAP/MSCHAPv2 w/ WinXP supplicant
> Date: Thu, 3 Feb 2005 01:01:15 -0500 (EST)
> 
> As the subject says, I've got hostapd 0.3.5 latest devel release working
> with madwifi (02/01/2005 CVS sync) with EAP-PEAP/MSCHAPv2 with the built
> in 802.1x auth w/ Windows XP pro client.  I'm supplying a
> username/password/domain (the test one under phase 2 of the eapusers
> config file) to authenticate and I've got WEP broadcast and unicast
> re-keying active (changing keys every minute) and from the logging it
> all seems to be working just fine.
> 
> I couldn't get the WinXP client to authenticate with MSCHAPv2 w/ only a 
> username and password -- it seems I need to supply a DOMAIN for auth
> to work.
> 
> Correct me if I'm wrong, but this should be pretty secure -- the 128 bit
> WEP keys are changing every minute for traffic, and the 802.1x auth EAP
> packets are tunneled in PEAP which are exchanged in an SSL style manner?
> (hence a "tunnel" like setup)
> 
> Plus the password within the PEAP SSL encryption is MSCHAPv2 so yet 
> another layer of auth security -- pretty tough to break the SSL session
> plus the MSCHAPv2 to get the credentials.
> 
> Seems if someone breaks a WEP key, it's only good until the next re-key
> which I've configured for 60 seconds.   I would think it would be impractical
> to try and break in and use the network...
> 
> Way cool ... I'm hoping I'll have time to get the radius based setup working.
> Since the internal authenticater is new I thought I report success.
> 
> -Eric Malkowski

More information about the Hostap mailing list