WPA - PEAP failure

Jouni Malinen jkmaline at cc.hut.fi
Thu May 6 21:18:52 EDT 2004


On Wed, May 05, 2004 at 09:44:18PM -0700, Jouni Malinen wrote:

> OK. TLS part phase 1 can be completed. However, that derived key is
> likely to be incorrect since PEAPv1 uses a different label when deriving
> the key. I fixed this now in CVS version.

Actually, key derivation used to match with what Odyssey server
expected even though the IETF draft I used defined this differently..
Anyway, I restored the old derivation for PEAPv1 in order to make this
interoperate.

> wpa_supplicant did not know what to do with the EAP-Success. As far as I
> can see, it should have just terminated the TLS tunnel and continue to
> WPA key handshake. I changed the CVS version of wpa_supplicant to do
> this. However, this might not be what the authentication server was
> expecting..

Yes, it was indeed waiting for more. I changed wpa_supplicant to sent an
encrypted EAP-Success to make the server side complete authentication.

> It looks like the authentication server did not send 4-Way Handshake or
> plaintext EAP-Success. It might have expected to receive something (in
> plaintext?) from the Supplicant. My quick look at
> draft-josefsson-ppext-eap-tls-eap-05.txt was not enough to determine
> whether something more should be done at this point..

It looks like Odyssey server behavior does not fully match with that
IETF draft.. I did some testing with this and changed wpa_supplicant so
that it now interoperates with both PEAPv0 and PEAPv1 when tested with
Odyssey RADIUS server. Changes are now in CVS.

> I would like to debug PEAPv1 myself, so if anyone can provide me access
> to a RADIUS authentication server that supports it (over Internet, so
> that I could point my AP to it), I would really appreciate it.

I was able to test with Odyseey, but it would still be useful to test
with another RADIUS server that is able to do PEAPv1 in the "Cisco way".
In other words, if someone happens to have a change of testing
wpa_supplicant with such a server, I would be interested in hearing
about the results.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list