EAP-TLS with wpa_supplicant not associating with AP

Jeff Stevens jeff1132 at charter.net
Thu Jan 20 15:34:33 EST 2005


Hello!

The madwifi group sent me here...

Need help with the WPA SSL certificate problems I've had.  I think my AP 
handshake might not like my SSL certs, I exported a pfx type file from 
my WinXP certs (my WinXP works ok, now trying to get Linux to work).

I had to use openssl to convert from pfx to pem, hoping I did things 
right...but I can't tell what the AP is complaining about.  Can someone 
give me a clue?

I made my WPA EAP-TLS certs for wpa_supplicant this way (export from 
WinXP with all certs in path and with private key to jeffs.pfx):

   openssl pkcs12 -in jeffs.pfx -nocerts -nodes -out jeffs.prv
   openssl pkcs12 -in jeffs.pfx -out jeffs.pem
   openssl pkcs12 -in jeffs.pfx -out equifax.pem

Thank you,
Jeff

-------- Original Message --------
Subject: EAP-TLS with wpa_supplicant not associating with AP
Date: Wed, 19 Jan 2005 17:11:20 -0600
From: Jeff Stevens <jeff1132 at charter.net>
Newsgroups: gmane.linux.drivers.madwifi.user

I got WPA-PSK working at home with my Linksys router, and now I'm trying
to get my WPA EAP-TLS to fly at work.  Seems to see the AP at work, but
then terminates early for some reason, the closest thing to an error
that I can see is the phrase

     "EAPOL frame too short, len 46, expecting at least 99"

although I read some say thats not an error at all.  Hoping someone has
a suggestion for me.  Certainly feels like I'm very close!

Thank you,
Jeff


System Fedora Core 3
====================


/var/log/messages:
==================
Jan 17 16:19:56 jstevens-t41 kernel: ath_hal: no version for
"struct_module" found: kernel tainted.
Jan 17 16:19:56 jstevens-t41 kernel: ath_hal: module license
'Proprietary' taints kernel.
Jan 17 16:19:56 jstevens-t41 kernel: ath_hal: 0.9.12.14 (AR5210, AR5211,
AR5212)
Jan 17 16:19:56 jstevens-t41 kernel: wlan: 0.8.4.5 (EXPERIMENTAL)
Jan 17 16:19:56 jstevens-t41 kernel: ath_rate_onoe: 1.0
Jan 17 16:19:56 jstevens-t41 kernel: ath_pci: 0.9.4.12 (EXPERIMENTAL)
Jan 17 16:19:57 jstevens-t41 kernel: ACPI: PCI interrupt 0000:02:02.0[A]
-> GSI 11 (level, low) -> IRQ 11
Jan 17 16:19:57 jstevens-t41 kernel: ath0: 11a rates: 6Mbps 9Mbps 12Mbps
18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
Jan 17 16:19:57 jstevens-t41 kernel: ath0: 11b rates: 1Mbps 2Mbps
5.5Mbps 11Mbps
Jan 17 16:19:57 jstevens-t41 kernel: ath0: 11g rates: 1Mbps 2Mbps
5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
Jan 17 16:19:57 jstevens-t41 kernel: ath0: mac 5.6 phy 4.1 5ghz radio
1.7 2ghz radio 2.3
Jan 17 16:19:57 jstevens-t41 kernel: ath0: 802.11 address: 00:05:4e:49:08:1f
Jan 17 16:19:57 jstevens-t41 kernel: ath0: Use hw queue 0 for WME_AC_BE
traffic
Jan 17 16:19:57 jstevens-t41 kernel: ath0: Use hw queue 1 for WME_AC_BK
traffic
Jan 17 16:19:57 jstevens-t41 kernel: ath0: Use hw queue 2 for WME_AC_VI
traffic
Jan 17 16:19:57 jstevens-t41 kernel: ath0: Use hw queue 3 for WME_AC_VO
traffic
Jan 17 16:19:57 jstevens-t41 kernel: ath0: Atheros 5212: mem=0xc0210000,
irq=11


wpa_supplicant.conf:
=====================
# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
# EAP-TLS for authentication and key generation; require both unicast and
# broadcast WEP keys.
network={
     ssid="IBM"
     scan_ssid=1
     key_mgmt=IEEE8021X
     eap=TLS
     identity="jssteven at us.ibm.com"
     #ca_cert="/etc/cert/ibm.pem"
     ca_cert="/etc/cert/equifax.pem"
     client_cert="/etc/cert/jeffs.pem"
     private_key="/etc/cert/jeffs.prv"
     private_key_passwd="xxxxxxxx"
     eapol_flags=3
}

Test run with: wpa_supplicant -Dmadwifi -iath0
-c/etc/wpa_supplicant.conf -d
=============================================================================

[root at jstevens-t41 jstevens]# wpa_supplicant -Dmadwifi -iath0
-c/etc/wpa_supplicant.conf -d
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
eapol_version=1
ap_scan=1
Priority group 0
    id=0 ssid='dyndns'
    id=1 ssid='IBM'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
wpa_driver_madwifi_set_wpa: enabled=1
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_set_countermeasures: enabled=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Wireless event: cmd=0x8b19 len=12
Received 404 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:0c:85:e2:fa:35 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
1: 00:12:43:f9:80:d0 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
2: 62:00:ba:02:d8:03 ssid='marym' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=3):
      49 42 4d                                          IBM
Wireless event: cmd=0x8b1a len=16
Wireless event: cmd=0x8b19 len=12
Received 404 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:0c:85:e2:fa:35 ssid='IBM' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
1: 00:12:43:f9:80:d0 ssid='IBM' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
2: 62:00:ba:02:d8:03 ssid='marym' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
    selected non-WPA AP 00:0c:85:e2:fa:35 ssid='IBM'
Trying to associate with 00:0c:85:e2:fa:35 (SSID='IBM' freq=2462 MHz)
Cancelling scan request
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
wpa_driver_madwifi_associate
Setting authentication timeout: 5 sec 0 usec
EAPOL: External notification - portControl=Auto
Wireless event: cmd=0x8b1a len=16
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:0c:85:e2:fa:35
Association event - clear replay counter
Associated to a new BSS: BSSID=00:0c:85:e2:fa:35
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
Associated with 00:0c:85:e2:fa:35
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
RX EAPOL from 00:0c:85:e2:fa:35
Setting authentication timeout: 10 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=1
EAP: EAP entering state IDENTITY
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=19):
      6a 73 73 74 65 76 65 6e 40 75 73 2e 69 62 6d 2e   jssteven at us.ibm.
      63 6f 6d                                          com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:0c:85:e2:fa:35
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=2
EAP: EAP entering state IDENTITY
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=19):
      6a 73 73 74 65 76 65 6e 40 75 73 2e 69 62 6d 2e   jssteven at us.ibm.
      63 6f 6d                                          com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:0c:85:e2:fa:35
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=17 id=233
EAP: EAP entering state GET_METHOD
EAP: Building EAP-Nak (requested type 17 not allowed)
EAP: allowed methods - hexdump(len=1): 0d
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:0c:85:e2:fa:35
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=234
EAP: EAP entering state GET_METHOD
SSL: Trusted root certificate(s) loaded
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 100 bytes left to be sent out (of total 100 bytes)
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
Wireless event: cmd=0x8b04 len=12
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:00:00:00:00:00
Setting scan request: 0 sec 100000 usec
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
Disconnect event - remove keys
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
Starting AP scan (broadcast SSID)
Wireless event: cmd=0x8b1a len=12
Wireless event: cmd=0x8b19 len=12
Received 404 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:12:43:f9:80:d0 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
1: 62:00:ba:02:d8:03 ssid='marym' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
2: 00:0c:85:e2:fa:35 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
Wireless event: cmd=0x8b19 len=12
Received 404 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:12:43:f9:80:d0 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
1: 62:00:ba:02:d8:03 ssid='marym' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
2: 00:0c:85:e2:fa:35 ssid='' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
No suitable AP found.
Setting scan request: 5 sec 0 usec
Authentication with 00:00:00:00:00:00 timed out.
Setting scan request: 0 sec 0 usec
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=3):
      49 42 4d                                          IBM
Wireless event: cmd=0x8b1a len=16
Wireless event: cmd=0x8b19 len=12
Received 539 bytes of scan results (4 BSSes)
Scan results: 4
Selecting BSS from priority group 0
0: 00:12:43:f9:80:d0 ssid='IBM' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
1: 62:00:ba:02:d8:03 ssid='marym' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
2: f6:02:57:00:8f:01 ssid='WSBC' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
3: 00:0c:85:e2:fa:35 ssid='IBM' wpa_ie_len=0 rsn_ie_len=0
    skip - no WPA/RSN IE
    selected non-WPA AP 00:12:43:f9:80:d0 ssid='IBM'
Trying to associate with 00:12:43:f9:80:d0 (SSID='IBM' freq=2437 MHz)
Cancelling scan request
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
wpa_driver_madwifi_associate
Setting authentication timeout: 5 sec 0 usec
EAPOL: External notification - portControl=Auto
Wireless event: cmd=0x8b1a len=16
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:12:43:f9:80:d0
Association event - clear replay counter
Associated to a new BSS: BSSID=00:12:43:f9:80:d0
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
Associated with 00:12:43:f9:80:d0
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
RX EAPOL from 00:12:43:f9:80:d0
Setting authentication timeout: 10 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=1
EAP: EAP entering state IDENTITY
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=19):
      6a 73 73 74 65 76 65 6e 40 75 73 2e 69 62 6d 2e   jssteven at us.ibm.
      63 6f 6d                                          com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:12:43:f9:80:d0
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=2
EAP: EAP entering state IDENTITY
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=19):
      6a 73 73 74 65 76 65 6e 40 75 73 2e 69 62 6d 2e   jssteven at us.ibm.
      63 6f 6d                                          com
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:12:43:f9:80:d0
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=17 id=34
EAP: EAP entering state GET_METHOD
EAP: Building EAP-Nak (requested type 17 not allowed)
EAP: allowed methods - hexdump(len=1): 0d
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
RX EAPOL from 00:12:43:f9:80:d0
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=35
EAP: EAP entering state GET_METHOD
SSL: Trusted root certificate(s) loaded
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 100 bytes left to be sent out (of total 100 bytes)
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 46, expecting at least 99
Signal 2 received - terminating
wpa_driver_madwifi_deauthenticate
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_del_key: keyidx=0
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
wpa_driver_madwifi_set_wpa: enabled=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=0
wpa_driver_madwifi_set_countermeasures: enabled=0




More information about the HostAP mailing list