Atheros: EAP-TLS WPA works # "IE in 3/4 msg does not match with IEin Beacon/ProbeResp" # strange radius authentication

Beat Meier bmeier at infovia.com.ar
Sat Jul 2 08:15:04 EDT 2005


Hi again

The problem of "IE in 3/4 msg does not match with IE in 
Beacon/ProbeResp"  is "solved".

There is a "strange problem" with the config file...
If I set in wpa_supplicant.conf
 prot=WPA RSN (or don't set i.e. default)
or
 prot=RSN
 key_mgmt=WPA-EAP
 eap=tls
and in hostapd
  wpa=2
  wpa_key_mgt=WPA-EAP
then message
  "IE in 3/4 msg does not match with IE in Beacon/ProbeResp"
comes ...


If I set on wpa_supplicant
 prot=WPA
 key_mgmt=WPA-EAP
 eap=tls
and in hostapd
  wpa=2
  wpa_key_mgt=WPA-EAP
the "right" message comes:
 No suitable AP found

This is in version 0.4.1 like 0.4.3

If I use on hostapd
  wpa=3
  wpa_key_mgt=WPA-EAP
it works "well" (see end), of course only WPA not WPA2.

Is this realy a madwifi problem? Should this reported to the madwifi 
list, of do I something wrong
with the config files to use WPA2?

BTW: Which messages indicate me if I'm connected with WPA or WPA2?
Is it not possible to log this in a field in the Access-Request for 
radius, so we know of each client
with what method it connected?

Sometime it needs several retries to be autencticated of by the radius 
server. If I understand right in a good
case there are 6 packages sent to the radius server from hostapd. I had 
about 14 until the client was connected
and my link is not so bad. Server and client are at 50cm distance and 
have a link quality of 48/94 and snr of +48dB
at 5.76GHz

It fails in 3. received radius packet

The radius message looks like this
modcall: group authorize returns updated for request 95
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 95
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown 
EAP-request
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 95
modcall: group authenticate returns invalid for request 95
auth: Failed to validate the user.
Login incorrect: [woc2/<no User-Password attribute>] (from client 
localhost port 0 cli 00-02-6F-21-E3-9E)
Delaying request 90 for 1 seconds
Finished request 90
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=3, length=273
Sending Access-Reject of id 3 to 127.0.0.1:1197

Could it be a "synchronization" problem of radiusd and hostapd?

hostapd has tones of
IEEE 802.1X: <MAC> REAUTH_TIMER entering start INITIALIZE

Here you can see that 2 time it failed at the same point (After 3. 
packet) and after that it succeeded ...

rad_recv: Accounting-Request packet from host 127.0.0.1:1198, id=0, 
length=80
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=1, length=158
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=2, length=176
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=3, length=273
Login incorrect: [woc2/<no User-Password attribute>] (from client 
localhost port 0 cli 00-02-6F-21-E3-9E)
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=3, length=273
Sending Access-Reject of id 3 to 127.0.0.1:1197
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=4, length=155
Login incorrect: [woc2/<no User-Password attribute>] (from client 
localhost port 0 cli 00-02-6F-21-E3-9E)
Sending Access-Reject of id 4 to 127.0.0.1:1197
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=5, length=158
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=6, length=176
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=7, length=273
Login incorrect: [woc2/<no User-Password attribute>] (from client 
localhost port 0 cli 00-02-6F-21-E3-9E)
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=7, length=273
Sending Access-Reject of id 7 to 127.0.0.1:1197
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=8, length=155
Login incorrect: [woc2/<no User-Password attribute>] (from client 
localhost port 0 cli 00-02-6F-21-E3-9E)
Sending Access-Reject of id 8 to 127.0.0.1:1197
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=9, length=158
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=10, length=273
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=11, length=173
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=12, length=1585
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=13, length=760
rad_recv: Access-Request packet from host 127.0.0.1:1197, id=14, length=173
Login OK: [woc2/<no User-Password attribute>] (from client localhost 
port 0 cli 00-02-6F-21-E3-9E)
rad_recv: Accounting-Request packet from host 127.0.0.1:1198, id=15, 
length=154

If you need all the logs where could I put it because to send to the 
list its impossible
because they are very long...

BTW: I'm using radius server 1.0.3

Greetings

Beat





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20050702/cdbf96a1/attachment.htm 


More information about the HostAP mailing list