EAP-FAST with Cisco1200 AP local server

Jouni Malinen j
Tue Apr 3 19:42:06 PDT 2007

On Tue, Apr 03, 2007 at 02:12:30PM +0200, Gregor Glomm wrote:

> I try to use EAP-FAST with the wpa_supplicant (0.5.5 or 
> wpa_supplicant-0.5-2007-03-25).
> Both versions reports an error SSL3 alert illegal parameter.

This is most likely caused by a bug in the Cisco AP local EAP server. If
I remember correctly, it (at least in some IOS versions) gets confused
about one of the TLS cipher suites and assumes that the EAP peer is
trying to do provisioning, not authentication. Workaround for this would
be to configure OpenSSL not to use tuat cipher suite and I hope to do
that at some point. As a quick test, you could also try wpa_supplicant
0.6.x and build with the internal TLS implementation. Conveniently (for
this case ;-), that implementation does not support the TLS cipher suite
that gets Cisco AP confused..

I believe that Cisco is also aware of this issue and may have already
fixed this in newer IOS versions, but I have not verified this. Cisco
ACS does not suffer from this, so the issue is specific to the internal
EAP server in Cisco AP1200.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list