WPA+EAP-PEAP+MSCHAPv2 Problem + ETHEREAL DUMPS

Greg Baker gbaker at cs.mun.ca
Fri Feb 11 11:18:45 EST 2005


To help diagnose my problem, I have saved two ethereal dumps.  One is a dump 
of a successful connect, and the other unsuccessful.

As you can see in the dump, the spot where it dies is at the initial TLS 
handshake.  The only difference I can see is that the successful connect 
sends the TLS length in the packet, while the unsuccessful connect does not.

I AM using the 0.3.7-pre version, and here is my config file...

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
network={
        ssid="stu"
        scan_ssid=1
        key_mgmt=WPA-EAP
        eap=PEAP
        pairwise=TKIP
        group=TKIP
        identity="gbaker"
        password="...."
        phase1="include_tls_length=1 peapver=1 peaplabel=1"
        phase2="auth=MSCHAPv2"
}

It seems as though the include_tls_length=1 settings is not working...

Thanks again to everyone.
Greg

On February 11, 2005 08:26 am, Greg Baker wrote:
> Thanks for your reply, Jouni..
>
> On February 9, 2005 11:45 pm, Jouni Malinen wrote:
> > On Wed, Feb 09, 2005 at 03:23:05PM -0330, Greg Baker wrote:
> > > I'm trying to connect to the wireless network at my school and am
> > > having problems.  It connects fine in Windows, but not Linux.
> >
> > Do you have any idea what authentication server is used in this network?
> > If it is CiscoACS, please try the 0.3.7-pre version of wpa_supplicant
> > from http://hostap.epitest.fi/releases/testing/ and add
> > include_tls_length=1 into the phase1 configuration variable in the
> > network block.
>
> I don't, but can call the network admin and find out.  I will ask him today
> and get back to you.
>
> > [snip]
> >
> > > network={
> > >         ssid="stu"
> > >         scan_ssid=1
> > >         key_mgmt=WPA-EAP
> > >         eap=PEAP
> > >         pairwise=TKIP
> > >         group=TKIP
> > >         identity="gbaker"
> > >         password="........."
> > >         phase1="peapver=1 peaplabel=1"
> > >         phase2="auth=MSCHAPV2"
> > > }
> >
> > If this is indeed CiscoACS, it may also not like MSCHAPV2 in Phase 2 (at
> > least when using PEAPv1), so you may also need to change that phase2
> > auth option to select GTC.
>
> Hmm..  I can only go by what the windows setup looks like, and that uses
> MSCHAPv2.  If I do select GTC, will that work with an AP that does MSCHAP?
>
> > > One thing I'm not sure about, do I need to have a certificate defined?
> > > The APs here provide the certificate, and they are not validated.
> >
> > If you care about security, yes, you really do need to get the correct
> > CA certificate and validate the server certificate. Without this, the
> > connection is open for man-in-the-middle attack.
>
> I understand the security part..  Unfortunately, our network at school is
> configured with an unofficial certificate.  So, I simply cannot verify it.
> What I meant was, will wpa_supplicant actually work without verifying the
> certificate.
>
> Thanks for all your help, Jouni.
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list