EAP-FAST with Cisco1200 AP local server

Gregor Glomm gg
Wed Apr 11 03:03:31 PDT 2007

> On Tue, Apr 03, 2007 at 02:12:30PM +0200, Gregor Glomm wrote:
>> I try to use EAP-FAST with the wpa_supplicant (0.5.5 or 
>> wpa_supplicant-0.5-2007-03-25).
>> Both versions reports an error SSL3 alert illegal parameter.
> This is most likely caused by a bug in the Cisco AP local EAP server. If
> I remember correctly, it (at least in some IOS versions) gets confused
> about one of the TLS cipher suites and assumes that the EAP peer is
> trying to do provisioning, not authentication. Workaround for this would
> be to configure OpenSSL not to use tuat cipher suite and I hope to do
> that at some point. As a quick test, you could also try wpa_supplicant
> 0.6.x and build with the internal TLS implementation. Conveniently (for
> this case ;-), that implementation does not support the TLS cipher suite
> that gets Cisco AP confused..
I disable in my openssl under ssl/s3_lib.c the "cipher 33" and now it works.
> I believe that Cisco is also aware of this issue and may have already
> fixed this in newer IOS versions, but I have not verified this. Cisco
> ACS does not suffer from this, so the issue is specific to the internal
> EAP server in Cisco AP1200.

The latest version from Cisco IOS System don't fix the problem.



More information about the Hostap mailing list