EAP-FAST doesn't work with Cisco AP

Jouni Malinen jkmaline at cc.hut.fi
Mon Jun 12 01:38:40 EDT 2006


On Sun, Jun 11, 2006 at 10:04:12PM -0700, Michael Reilly wrote:

> I have been trying to get EAP-FAST to work with my Cisco AP-1100 (12.3(7)JA2 and
> 12.3(8)JA2 IOS versions on the AP).  Windows clients work fine with the AP.

Was this authentication using the local authentication server in the AP
or an external RADIUS server?

> wpa_supplicant 0.4.9 and openssl 0.9.8b patched with
> openssl-tls-extensions.patch.  SSL fails and sends the AP an Alert code 47.  The
> wpa_supplicant SSL part of the log is shown below.  I can provide additional
> information as required.

I haven't tested with OpenSSL 0.9.8b, but I would not expected that to
have changed in an area that would cause such a problem. OpenSSL 0.9.8a
is working fine in my tests with the local authentication server in a
Cisco AP and also against CiscoACS. The AP I'm using is likely an older
test version of 12.3 than 12.3.(7), so something may have been changed
since then.

> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:illegal parameter
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello B
> OpenSSL: tls_connection_handshake - SSL_connect error:14092105:SSL
> routines:SSL3_GET_SERVER_HELLO:wrong cipher returned

Hmm.. It looks like the server did not advertise an acceptable cipher.
Did you manage to run in-band PAC provisioning without any issues? Could
you please capture the EAP packets (e.g., with ethereal on the client)
and send me a capture log showing ClientHello and this ServerHello
message that gets rejected?
 
-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list