[success] WPA+EAP-PEAP+MSCHAPv2 Problem

Greg Baker gbaker at cs.mun.ca
Mon Feb 14 07:25:09 EST 2005


Thanks for everything guys.  I can now connect to the wireless fine with the 
new 0.3.8 version of wpa_supplicant.

One other question though, I just did an ifconfig and noticed this:

          RX packets:1382 errors:1826 dropped:0 overruns:0 frame:1301
          TX packets:634 errors:0 dropped:0 overruns:0 carrier:0

That seems like a lot of incoming errors.  What could this be caused by?  Is 
it inherent to wireless networks (perhaps interference or something)?

Thanks..
Greg

On February 12, 2005 12:15 pm, Jouni Malinen wrote:
> On Fri, Feb 11, 2005 at 12:48:45PM -0330, Greg Baker wrote:
> > To help diagnose my problem, I have saved two ethereal dumps.  One is a
> > dump of a successful connect, and the other unsuccessful.
>
> Please note that the successful one used PEAPv0, not PEAPv1. It is
> common to use PEAPv0 with MSCHAPv2 and PEAPv1 with GTC. In other words,
> if you are using MSCHAPv2, it might be worth trying peapver=0 in phase1
> configuration.
>
> > As you can see in the dump, the spot where it dies is at the initial TLS
> > handshake.  The only difference I can see is that the successful connect
> > sends the TLS length in the packet, while the unsuccessful connect does
> > not.
>
> Yes, and I believe that is the most likely explanation for
> the connection getting rejected here and the exact reason for adding
> include_tls_length option to wpa_supplicant.
>
> > I AM using the 0.3.7-pre version, and here is my config file...
> >
> > ctrl_interface=/var/run/wpa_supplicant
> > ctrl_interface_group=0
> > eapol_version=1
> > ap_scan=1
> > network={
> >         ssid="stu"
> >         scan_ssid=1
> >         key_mgmt=WPA-EAP
> >         eap=PEAP
> >         pairwise=TKIP
> >         group=TKIP
> >         identity="gbaker"
> >         password="...."
> >         phase1="include_tls_length=1 peapver=1 peaplabel=1"
> >         phase2="auth=MSCHAPv2"
> > }
> >
> > It seems as though the include_tls_length=1 settings is not working...
>
> It should work, but yes, the capture log in Fail certainly did not look
> like this was enabled. I believe that is the most likely explanation for
> the connection getting rejected here. Could you please verify that the
> wpa_supplicant debug log shows "TLS: Include TLS Message Length in
> unfragmented packets" when using this configuration? If not, please make
> sure that the wpa_supplicant version is indeed correct and post the
> debug log.
>
> When I used this configuration file in a test, the debug log showed
> following lines in beginning of PEAP initialization:
>
> EAP: initialize selected EAP method (25, PEAP)
> EAP-PEAP: Forced PEAP version 1
> EAP-PEAP: Force new label for key derivation
> EAP-PEAP: Unsupported Phase2 method 'MSCHAPv2'
> EAP-PEAP: Phase2 EAP types - hexdump(len=8): 04 1a 06 05 12 11 ff 17
> TLS: Include TLS Message Length in unfragmented packets
> EAP: EAP entering state METHOD
>
>
> In other words, include_tls_length option was noticed (and TLS Length
> was indeed added to messages) and so was a typo in the EAP method name
> (it should be MSCHAPV2).



More information about the HostAP mailing list