eap authentication seems to fail on university network
jkmaline at cc.hut.fi
Wed Feb 16 22:44:07 EST 2005
On Wed, Feb 16, 2005 at 05:51:43PM -0600, Joe Love wrote:
> key_mgmt=IEEE8021X WPA-EAP
This combination of ap_scan=0 and WPA-EAP is unlikely to work. However,
based on the debug log, I would guess that you are actually not using
WPA at all. Removing that WPA-EAP from here would make the config file
easier to understand..
> phase2="autheap=PAP auth=PAP"
This phase2 line here is causing the connection to fail. autheap=PAP is
invalid option and removing it may make this actually work.. Now,
wpa_supplicant assumes that you want to use another EAP method in
Phase2, but in practice, I would assume you want to do PAP. In other
word,s change this to phase2="auth=PAP".
> Side note: I'm using ap_scan=0 because there's a bunch of APs that don't
> always properly report their ssids, so i just manually put that in
> using: ifconfig wi0 ssid UIC-Wireless
Please note that WPA needs to get WPA IE set correctly for the
association request and using ap_scan=0 is unlikely to work for that.
ap_scan=2 might, but it depends on whether the driver supports such
configuration. Anyway, it looks like you are not using WPA, so this
should not matter for now.
> EAP-TTLS: Phase2 type: EAP
> EAP-TTLS: Unsupported Phase2 EAP method 'PAP'
> EAP-TTLS: Phase2 EAP types - hexdump(len=5): 04 1a 06 05 11
This is the part where wpa_supplicant gets confused about the phase2
configuration. It ends up believe that you want EAP and since there is
no EAP-PAP, it just default to allow all EAP methods that have been
marked available for phase 2 use.
> TLS: Include TLS Message Length in unfragmented packets
This does not match wuith your configuration file example, i.e., I would
assume you had the phase1 line actually uncommented when producing this
> EAP-TTLS: TLS done, proceed to Phase 2
So TLS part was completed without problems.
> EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
> EAP-TTLS: Phase 2 EAP Request: type=1
> EAP: using real identity - hexdump_ascii(len=6):
> 6a 6c 6f 76 65 31 jlove1
> EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=11): 02 35 00 0b 01
> 6a 6c 6f 76 65 31
wpa_supplicant tries to start EAP in phase 2..
> EAP: Received EAP-Failure
But authentication server does not like it.. I would assume it was
configured to accept only PAP.
Jouni Malinen PGP id EFC895FA
More information about the HostAP