EAP-FAST error with Cisco ACS 5.2 and wpa_supplicant 0.6.9, not seen with Cisco ACS 4.1
Gulick Tom-WPD384
Tom.Gulick
Thu Nov 8 07:59:42 PST 2012
Hi,
We see an error during the PAC provisioning phase of an EAP-FAST connection with Cisco ACS 5.2 that we don't see with Cisco ACS 4.1.
With 5.2, we see an MS_CHAPv2 message during phase 2 while with 4.1, we see all EAP-FAST messages.
Can anyone shed any light ?
With ACS 5.2, we get this in the supplicant log:
2012-11-07 09:47:59 [ APCT][Dbg1] RX EAPOL from 00:26:99:23:ca:f5
2012-11-07 09:47:59 [ APCT][Dbg1] EAPOL: Received EAP-Packet frame
2012-11-07 09:47:59 [ APCT][Dbg1] EAPOL: SUPP_BE entering state REQUEST
2012-11-07 09:47:59 [ APCT][Dbg1] EAPOL: getSuppRsp
2012-11-07 09:47:59 [ APCT][Dbg1] EAP: EAP entering state RECEIVED
2012-11-07 09:47:59 [ APCT][Dbg1] EAP: Received EAP-Request id=246 method=43 vendor=0 vendorMethod=0
2012-11-07 09:47:59 [ APCT][Dbg1] EAP: EAP entering state METHOD
2012-11-07 09:47:59 [ APCT][Dbg1] SSL: Received packet(len=107) - Flags 0x01
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Received 101 bytes encrypted data for Phase 2
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Received Phase 2: TLV type 9 length 57 (mandatory)
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Phase 2 Request: type=26
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: RX identifier 246 mschapv2_id 245
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: Received failure
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: error 691
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: retry is allowed
2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: password changing protocol version 3
2012-11-07 09:47:59 [ APCT][Warn] EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)
2012-11-07 09:47:59 [ APCT][Dbg1] CTRL_IFACE monitor send 127.0.0.1:35969
With ACS 4.1, the corresponding log snippet is:
2012-11-07 14:12:40 [ APCT][Dbg1] RX EAPOL from 00:07:50:d5:9c:01
2012-11-07 14:12:40 [ APCT][Dbg1] EAPOL: Received EAP-Packet frame
2012-11-07 14:12:40 [ APCT][Dbg1] EAPOL: SUPP_BE entering state REQUEST
2012-11-07 14:12:40 [ APCT][Dbg1] EAPOL: getSuppRsp
2012-11-07 14:12:40 [ APCT][Dbg1] EAP: EAP entering state RECEIVED
2012-11-07 14:12:40 [ APCT][Dbg1] EAP: Received EAP-Request id=163 method=43 vendor=0 vendorMethod=0
2012-11-07 14:12:40 [ APCT][Dbg1] EAP: EAP entering state METHOD
2012-11-07 14:12:40 [ APCT][Dbg1] SSL: Received packet(len=107) - Flags 0x01
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Received 101 bytes encrypted data for Phase 2
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Received Phase 2: TLV type 10 length 2 (mandatory)
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Intermediate Result: Success
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Received Phase 2: TLV type 12 length 56 (mandatory)
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Crypto-Binding TLV: Version 1 Received Version 1 SubType 0
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Determining CMK[1] for Compound MIC calculation
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Reply Crypto-Binding TLV: Version 1 Received Version 1 SubType 1
2012-11-07 14:12:40 [ APCT][Dbg1] EAP-FAST: Add Intermediate Result TLV(status=1)
2012-11-07 14:12:40 [ APCT][Dbg1] SSL: 101 bytes left to be sent out (of total 101 bytes)
Regards,
Tom Gulick
Motorola AirDefense Solutions
420 Lakeside Ave
Marlborough, MA 01752
(508) 460-0104
Tom.Gulick at motorolasolutions.com<mailto:Tom.Gulick at motorola.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20121108/701ef0bc/attachment-0001.htm
More information about the Hostap
mailing list