hostapd 1.3.5, madwifi, internal EAP-PEAP/MSCHAPv2 w/ WinXP supplicant

Coert Vonk coert.vonk at gmail.com
Sun Feb 6 15:03:47 EST 2005


I got a little further along by applying the tmp patch mentioned in
 http://sourceforge.net/mailarchive/message.php?msg_id=10728087

Still, the authentication failes, as shown in the trace from hostapd:
 EAP-TLV: Received TLVs - hexdump(len=6): 80 03 00 02 00 02 
 EAP-TLV: Result TLV - hexdump(len=2): 00 02
 EAP-TLV: TLV Result - Failure - requested Failure
 EAP-PEAP: PHASE2_TLV -> FAILURE

I found a bug fix for the WinXP/SP2 client that they want you to pay for:
  http://support.microsoft.com/?kbid=885453

Is there another way to making this work?

thanks
Coert

On Sat, 5 Feb 2005 20:09:33 -0800, Coert Vonk <coert.vonk (at) gmail
(dot) com> wrote:
> I have been trying to get the following config working:
>   - todays (2/5/2005 CVS) for madwifi and hostapd
>   - Windows XP Pro SP2 client (802.1x, PEAP/MSCHAPv2)
> 
> The last debug messages show that it is sending an EAPoL, but it never
> receives a reply.  My AP is an embedded (soekris-like) box with not
> enough memory to spare for tcpdump.  I have not been able to find a
> debug switch to enable debugging in WinXP.  I do see "invalid nwid"
> count on the iwconfig, but I am not sure if this is related
> 
> IEEE 802.1X: 00:90:4b:2f:6e:d4 AUTH_PAE entering state CONNECTING
> IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:90:4b:2f:6e:d4 AUTH_PAE entering state AUTHENTICATING
> IEEE 802.1X: 00:90:4b:2f:6e:d4 BE_AUTH entering state REQUEST
> IEEE 802.1X: Sending EAP Packet to 00:90:4b:2f:6e:d4 (identifier 194)
> TX EAPOL - hexdump(len=23): 00 90 4b 2f 6e d4 00 02 6f 21 df ff 88 8e
> 02 00 00 05 01 c2 00 05 01
> IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:90:4b:2f:6e:d4 REAUTH_TIMER entering state INITIALIZE
> IEEE 802.1X: 00:90:4b:2f:6e:d4 Port Timers TICK (timers: 0 0 3599)
> 
> Can someone send a working configuration file for this?  Do I need
> patches that are not in CVS yet?
> 
> thx,
> /coert
> 
> > From: malk at sidehack.sat.gweep.net
> > Subject: Success: hostapd 1.3.5, madwifi, internal EAP-PEAP/MSCHAPv2 w/ WinXP supplicant
> > Date: Thu, 3 Feb 2005 01:01:15 -0500 (EST)
> >
> > As the subject says, I've got hostapd 0.3.5 latest devel release working
> > with madwifi (02/01/2005 CVS sync) with EAP-PEAP/MSCHAPv2 with the built
> > in 802.1x auth w/ Windows XP pro client.  I'm supplying a
> > username/password/domain (the test one under phase 2 of the eapusers
> > config file) to authenticate and I've got WEP broadcast and unicast
> > re-keying active (changing keys every minute) and from the logging it
> > all seems to be working just fine.
> >
> > I couldn't get the WinXP client to authenticate with MSCHAPv2 w/ only a
> > username and password -- it seems I need to supply a DOMAIN for auth
> > to work.
> >
> > Correct me if I'm wrong, but this should be pretty secure -- the 128 bit
> > WEP keys are changing every minute for traffic, and the 802.1x auth EAP
> > packets are tunneled in PEAP which are exchanged in an SSL style manner?
> > (hence a "tunnel" like setup)
> >
> > Plus the password within the PEAP SSL encryption is MSCHAPv2 so yet
> > another layer of auth security -- pretty tough to break the SSL session
> > plus the MSCHAPv2 to get the credentials.
> >
> > Seems if someone breaks a WEP key, it's only good until the next re-key
> > which I've configured for 60 seconds.   I would think it would be impractical
> > to try and break in and use the network...
> >
> > Way cool ... I'm hoping I'll have time to get the radius based setup working.
> > Since the internal authenticater is new I thought I report success.
> >
> > -Eric Malkowski
>



More information about the HostAP mailing list