EAP method not allowed (MD5), trying to do EAP-AKA auth.

Jouni Malinen j
Sun Sep 7 06:56:18 PDT 2014


On Fri, Sep 05, 2014 at 10:48:12AM -0700, Ben Greear wrote:
> Any idea why this might be failing?  We do not see this when using
> hostapd as a radius server, but another user sees the problem on
> their radius server.

There is no failure shown in the debug log you included here..

> Verbose supplicant logs:
> 1409937637.937429: EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
> 1409937637.937436: EAP: EAP entering state IDENTITY
> 1409937637.937442: sta_0: CTRL-EVENT-EAP-STARTED EAP authentication started
> 1409937637.937460: EAP: using real identity - hexdump_ascii(len=51):
>      30 33 31 30 30 32 38 34 30 30 30 30 31 31 30 31   0310028400001101
>      40 77 6c 61 6e 2e 6d 6e 63 30 32 38 2e 6d 63 63   @wlan.mnc028.mcc
>      33 31 30 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e   310.3gppnetwork.
>      6f 72 67                                          org

> 1409937637.955481: EAPOL: Received EAP-Packet frame
> 1409937637.955510: EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
> 1409937637.955517: EAP: EAP entering state GET_METHOD
> 1409937637.955521: EAP: configuration does not allow: vendor 0 method 4
> 1409937637.955524: EAP: vendor 0 method 4 not allowed
> 1409937637.955528: sta_0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK

The authentication server is configured to default to using EAP-MD5 even
with this EAP-AKA user identity, but this is fine and EAP-Nak is the way
to negotiate in such a case.

> 1409937637.955532: EAP: Status notification: refuse proposed method (param=MD5)
> 1409937637.955537: EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
> 1409937637.955542: EAP: allowed methods - hexdump(len=1): 17
> 1409937637.955545: EAP: EAP entering state SEND_RESPONSE
> 1409937637.955548: EAP: EAP entering state IDLE

This is the normal way for the supplicant to state that it wants to use
EAP-AKA. This should be followed by the authentication server sending
out the first message of EAP-AKA or EAP_Failure if EAP-AKA is not
enabled. In other words, there has been no errors in the log at this
point in time. If neither of those EAP messages are received, the
authentication server or AP are misbehaving.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list