Invalid Tunnel MIC

Jouni Malinen j
Wed Mar 26 11:33:08 PDT 2008

On Thu, Mar 27, 2008 at 01:16:05AM +0800, Jack Yip wrote:

> I am working with the EAP-FAST with the Cisco Server AP.
> But I got  the following debug msg from the Cisco Server. And it said there is invalid tunnel MIC.

Unfortunately, I do not have a Cisco AP at home, so I cannot easily test
this myself. It looks as if the EAP-FAST server does not like something
about the MIC (or well, likely the key used to derive the MIC) in this
case. This is somewhat odd for provisioning phase (which I'm assuming is
in process here) since the PAC key is not yet even available..

If I understood correctly, you are using the internal TLS implementation
in wpa_supplicant. That is not yet very mature in 0.5.x branch and it
would be interesting to see whether 0.6.x works any better here. Would
you be able to test this with an unmodified wpa_supplicant on x86 just
to verify whether this is a more generic issue or somehow specific to
the platform and modifications you are using?

> Is that because I set the parameter wrongly inside the structure "wpa_ssid" at the beginning?

My first guest would be that this is something that is not caused by the

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list