eap authentication seems to fail on university network

Joe Love joe at getsomewhere.net
Fri Feb 18 02:18:40 EST 2005


Thanks, this seems to have solve my issues logging into the system..  I 
guess I couldn't quite get my head wrapped around the settings to get 
them right.

I'd be absolutely certain it worked, but I'm running into a 
freebsd-specific problem with my hardware.  I'll pass the config 
settings I have on to a few other people who are trying to do the same 
thing with different hardware (and on Linux).

Thanks again,
-Joe

Jouni Malinen wrote:

>On Wed, Feb 16, 2005 at 05:51:43PM -0600, Joe Love wrote:
>
>  
>
>>ctrl_interface=/var/run/wpa_supplicant
>>ctrl_interface_group=wheel
>>eapol_version=1
>>ap_scan=0
>>network={
>>       ssid="UIC-Wireless"
>>       scan_ssid=1
>>       key_mgmt=IEEE8021X WPA-EAP
>>    
>>
>
>This combination of ap_scan=0 and WPA-EAP is unlikely to work. However,
>based on the debug log, I would guess that you are actually not using
>WPA at all. Removing that WPA-EAP from here would make the config file
>easier to understand..
>
>  
>
>>       eap=TTLS
>>       identity="jlove1"
>>       password="[snipped]"
>>       anonymous_identity="anonymous"
>>       ca_cert="/usr/home/lyfe/thawte.pem"
>>       #phase1="include_tls_length=1"
>>       phase2="autheap=PAP auth=PAP"
>>    
>>
>
>This phase2 line here is causing the connection to fail. autheap=PAP is
>invalid option and removing it may make this actually work.. Now,
>wpa_supplicant assumes that you want to use another EAP method in
>Phase2, but in practice, I would assume you want to do PAP. In other
>word,s change this to phase2="auth=PAP".
>
>  
>
>>Side note: I'm using ap_scan=0 because there's a bunch of APs that don't 
>>always properly report their ssids, so i just manually put that in 
>>using: ifconfig wi0 ssid UIC-Wireless
>>    
>>
>
>Please note that WPA needs to get WPA IE set correctly for the
>association request and using ap_scan=0 is unlikely to work for that.
>ap_scan=2 might, but it depends on whether the driver supports such
>configuration. Anyway, it looks like you are not using WPA, so this
>should not matter for now.
>
>  
>
>>EAP-TTLS: Phase2 type: EAP
>>EAP-TTLS: Unsupported Phase2 EAP method 'PAP'
>>EAP-TTLS: Phase2 EAP types - hexdump(len=5): 04 1a 06 05 11
>>    
>>
>
>This is the part where wpa_supplicant gets confused about the phase2
>configuration. It ends up believe that you want EAP and since there is
>no EAP-PAP, it just default to allow all EAP methods that have been
>marked available for phase 2 use.
>
>  
>
>>TLS: Include TLS Message Length in unfragmented packets
>>    
>>
>
>This does not match wuith your configuration file example, i.e., I would
>assume you had the phase1 line actually uncommented when producing this
>debug log.
>
>  
>
>>EAP-TTLS: TLS done, proceed to Phase 2
>>    
>>
>
>So TLS part was completed without problems.
>
>  
>
>>EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
>>EAP-TTLS: Phase 2 EAP Request: type=1
>>EAP: using real identity - hexdump_ascii(len=6):
>>    6a 6c 6f 76 65 31                                 jlove1         
>>EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=11): 02 35 00 0b 01 
>>6a 6c 6f 76 65 31
>>    
>>
>
>wpa_supplicant tries to start EAP in phase 2..
>
>  
>
>>EAP: Received EAP-Failure
>>    
>>
>
>But authentication server does not like it.. I would assume it was
>configured to accept only PAP.
>
>  
>




More information about the HostAP mailing list