eap authentication seems to fail on university network

Jouni Malinen jkmaline at cc.hut.fi
Wed Feb 16 22:44:07 EST 2005


On Wed, Feb 16, 2005 at 05:51:43PM -0600, Joe Love wrote:

> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> eapol_version=1
> ap_scan=0
> network={
>        ssid="UIC-Wireless"
>        scan_ssid=1
>        key_mgmt=IEEE8021X WPA-EAP

This combination of ap_scan=0 and WPA-EAP is unlikely to work. However,
based on the debug log, I would guess that you are actually not using
WPA at all. Removing that WPA-EAP from here would make the config file
easier to understand..

>        eap=TTLS
>        identity="jlove1"
>        password="[snipped]"
>        anonymous_identity="anonymous"
>        ca_cert="/usr/home/lyfe/thawte.pem"
>        #phase1="include_tls_length=1"
>        phase2="autheap=PAP auth=PAP"

This phase2 line here is causing the connection to fail. autheap=PAP is
invalid option and removing it may make this actually work.. Now,
wpa_supplicant assumes that you want to use another EAP method in
Phase2, but in practice, I would assume you want to do PAP. In other
word,s change this to phase2="auth=PAP".

> Side note: I'm using ap_scan=0 because there's a bunch of APs that don't 
> always properly report their ssids, so i just manually put that in 
> using: ifconfig wi0 ssid UIC-Wireless

Please note that WPA needs to get WPA IE set correctly for the
association request and using ap_scan=0 is unlikely to work for that.
ap_scan=2 might, but it depends on whether the driver supports such
configuration. Anyway, it looks like you are not using WPA, so this
should not matter for now.

> EAP-TTLS: Phase2 type: EAP
> EAP-TTLS: Unsupported Phase2 EAP method 'PAP'
> EAP-TTLS: Phase2 EAP types - hexdump(len=5): 04 1a 06 05 11

This is the part where wpa_supplicant gets confused about the phase2
configuration. It ends up believe that you want EAP and since there is
no EAP-PAP, it just default to allow all EAP methods that have been
marked available for phase 2 use.

> TLS: Include TLS Message Length in unfragmented packets

This does not match wuith your configuration file example, i.e., I would
assume you had the phase1 line actually uncommented when producing this
debug log.

> EAP-TTLS: TLS done, proceed to Phase 2

So TLS part was completed without problems.

> EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
> EAP-TTLS: Phase 2 EAP Request: type=1
> EAP: using real identity - hexdump_ascii(len=6):
>     6a 6c 6f 76 65 31                                 jlove1         
> EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=11): 02 35 00 0b 01 
> 6a 6c 6f 76 65 31

wpa_supplicant tries to start EAP in phase 2..

> EAP: Received EAP-Failure

But authentication server does not like it.. I would assume it was
configured to accept only PAP.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list