802.1x and HostAP and Open1x

Jouni Malinen jkmaline at cc.hut.fi
Wed May 12 15:11:57 EDT 2004 

On Wed, May 12, 2004 at 09:18:45AM -0700, Rodney Thayer wrote:

> We are running this at the iLabs demo at Networld+Interop.

Thank you for reporting this.

> It sort of works.  Here's what we see:
> 
> 1. PEAP doesn't work in HostAP [1] [2]
> 
> 2. TTLS worked.  Sort of.  After the first iteration.  It
> sent only a broadcast key, no individual
> key.  We traced the code and slipped a 'sleep 3' into the
> transmit function and it now sends individual keys but
> only after the first negotiation round.  So we think
> there are two bugs - one in the packet transmitter, sort of
> like it doesn't check the queue status and therefore
> does two transmit attempts and only one gets through.
> 
> [1] We tested against Open1x.  "we" is the Open1X team,
> who do this sort of thing all the time, so we believe
> we had appropriately skilled people testing this.

Could you please be a bit more exact on what was being tested? Open1x
can mean either Authenticator or Supplicant and so can Host AP (hostapd,
wpa_supplicant).. Which one was used as Supplicant and which one as
Authenticator? In addition, what was used as the authentication server?

PEAP vs TTLS should be transparent for Authenticator, so this difference
between PEAP and TTLS sounds like an authentication server <->
supplicant interop issue. "No individual key" sounds like a
configuration error in the Authenticaticator. If it was hostapd, both
unicast and broadcast key length have to be included in the
hostapd.conf.

> Does this work for anyone else?

Depends on what "this" is..

> What version should we be using?

Latest CVS snapshot of Host AP development branch

> Would it be useful to provide the "sleep" kludge code?

Maybe.. Debug log from the authenticator with both cases would also be
useful.

> Would it be useful to submit a packet trace?

Yes. In addition, debug log from all component (authsrv, authenticator,
supplicant) would be useful and configuration files for at least the
authenticator and supplicant would be useful.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list