WPA+EAP-PEAP+MSCHAPv2 Problem + ETHEREAL DUMPS

Greg Baker gbaker at cs.mun.ca
Fri Feb 11 11:32:50 EST 2005


Very sorry...  I'm an idiot...

It turns out that I wasn't putting the "./" in front of the wpa_supplicant 
command, and therefore was using the installed version (an older one).....

Again, quite sorry..  It turns out that with the 0.3.7-pre version, the 
problem has disappeared!!

WooHoo!

Thanks again guys..

Greg


On February 11, 2005 12:48 pm, Greg Baker wrote:
> To help diagnose my problem, I have saved two ethereal dumps.  One is a
> dump of a successful connect, and the other unsuccessful.
>
> As you can see in the dump, the spot where it dies is at the initial TLS
> handshake.  The only difference I can see is that the successful connect
> sends the TLS length in the packet, while the unsuccessful connect does
> not.
>
> I AM using the 0.3.7-pre version, and here is my config file...
>
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> eapol_version=1
> ap_scan=1
> network={
>         ssid="stu"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         pairwise=TKIP
>         group=TKIP
>         identity="gbaker"
>         password="...."
>         phase1="include_tls_length=1 peapver=1 peaplabel=1"
>         phase2="auth=MSCHAPv2"
> }
>
> It seems as though the include_tls_length=1 settings is not working...
>
> Thanks again to everyone.
> Greg
>
> On February 11, 2005 08:26 am, Greg Baker wrote:
> > Thanks for your reply, Jouni..
> >
> > On February 9, 2005 11:45 pm, Jouni Malinen wrote:
> > > On Wed, Feb 09, 2005 at 03:23:05PM -0330, Greg Baker wrote:
> > > > I'm trying to connect to the wireless network at my school and am
> > > > having problems.  It connects fine in Windows, but not Linux.
> > >
> > > Do you have any idea what authentication server is used in this
> > > network? If it is CiscoACS, please try the 0.3.7-pre version of
> > > wpa_supplicant from http://hostap.epitest.fi/releases/testing/ and add
> > > include_tls_length=1 into the phase1 configuration variable in the
> > > network block.
> >
> > I don't, but can call the network admin and find out.  I will ask him
> > today and get back to you.
> >
> > > [snip]
> > >
> > > > network={
> > > >         ssid="stu"
> > > >         scan_ssid=1
> > > >         key_mgmt=WPA-EAP
> > > >         eap=PEAP
> > > >         pairwise=TKIP
> > > >         group=TKIP
> > > >         identity="gbaker"
> > > >         password="........."
> > > >         phase1="peapver=1 peaplabel=1"
> > > >         phase2="auth=MSCHAPV2"
> > > > }
> > >
> > > If this is indeed CiscoACS, it may also not like MSCHAPV2 in Phase 2
> > > (at least when using PEAPv1), so you may also need to change that
> > > phase2 auth option to select GTC.
> >
> > Hmm..  I can only go by what the windows setup looks like, and that uses
> > MSCHAPv2.  If I do select GTC, will that work with an AP that does
> > MSCHAP?
> >
> > > > One thing I'm not sure about, do I need to have a certificate
> > > > defined? The APs here provide the certificate, and they are not
> > > > validated.
> > >
> > > If you care about security, yes, you really do need to get the correct
> > > CA certificate and validate the server certificate. Without this, the
> > > connection is open for man-in-the-middle attack.
> >
> > I understand the security part..  Unfortunately, our network at school is
> > configured with an unofficial certificate.  So, I simply cannot verify
> > it. What I meant was, will wpa_supplicant actually work without verifying
> > the certificate.
> >
> > Thanks for all your help, Jouni.
> > _______________________________________________
> > HostAP mailing list
> > HostAP at shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/hostap
>
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap



More information about the HostAP mailing list