wpa_supplicant error when trying to use EAP-PEAP/GTC

Andrew Barr barr.156 at osu.edu
Mon Oct 11 09:06:52 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,

I'm trying to authenticate on a university wireless network using
wpa_supplicant. It has either a Cisco ACS or Meetinghouse AEGIS RADIUS
server. It uses IEEE 802.1x with dynamic WEP keys. Allowed EAP types are LEAP
and PEAP-GTC. My wireless card is a D-Link DWL-650P driven by HostAP 0.2.5, 
but I've had the same errors with my ipw2100 adapter with driver 0.55. 
wpa_supplicant is version 0.2.4 with the ipw2100 patch. My 
wpa_supplicant.conf file:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
network={
        ssid="home_essid"
        scan_ssid=1
        proto=WPA
        key_mgmt=WPA-PSK
        pairwise=CCMP TKIP
        group=TKIP
        psk="home network PSK"
        priority=0
}

network={
        ssid="osuweb"
        key_mgmt=IEEE8021X
        eap=PEAP
        identity="barr156"
        password="password"
        phase1="peaplabel=0"
        phase2="auth=GTC"
        priority=1
}

network={
        ssid="osu_libw"
        key_mgmt=NONE
 priority=2
}

When I try to authenticate using the command: 'wpa_supplicant -iwlan0
- -c/etc/wpa_supplicant.conf -Dhostap -d', first the server requests EAP type
17 (LEAP), and wpa_supplicant comes back with EAP-Nak:

EAP: Received EAP-Request method=17 id=151
EAP: EAP entering state GET_METHOD
EAP: Building EAP-Nak (requested type 17 not allowed)
EAP: allowed methods - hexdump(len=1): 19

(note: the entire log is attached)

Notice the last line. wpa_supplicant says allowed methods are type 19. The
table at http://www.networksorcery.com/enp/protocol/eap.htm says that this is
SRP-SHA1 part 1. I don't know what this is or why it's being listed as
allowed given my config file.

Then, the server requests method 25 and wpa_supplicant starts to connect, but
there's an SSL error:

EAP: Received EAP-Request method=25 id=21
EAP: EAP entering state GET_METHOD
EAP-PEAP: Force old label for key derivation
EAP-PEAP: Phase2 type: GTC
EAP: EAP entering state METHOD
EAP-PEAP: Received packet(len=6) - Flags 0x21
EAP-PEAP: Start (server ver=1, own ver=1)
EAP-PEAP: Using PEAP version 1
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 102 bytes left to be sent out (of total 102 bytes)
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
Authentication with 00:07:85:b3:f6:bd timed out.

I don' t have a certificate for this server, although it might be possible to 
get it by downloading the copy of the Meetinghouse AEGIS client for Windows 
offered by my university. I don't think this is the problem, though, because 
I haven't specified a certificate.

Does anyone know what is wrong here? I can authenticate using LEAP and 
Xsupplicant 1.0.1, but this is not reliable and of course LEAP has documented 
security flaws. Any help would be greatly appreciated.

Regards,
Andrew Barr
barr.156 at osu.edu


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBaoV1huM+Z62a52oRAvJmAKD8iT5ofIDidNt9hlll/rqBFcJIbACfRJii
IG3JSmW69pSn/AGCJvL9d2s=
=P9eU
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: osuweb-wpa_supp.log
Type: text/x-log
Size: 15115 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20041011/682ec290/attachment.bin 


More information about the HostAP mailing list