EAP-FAST under Windows XP

Jouni Malinen jkmaline at cc.hut.fi
Tue Mar 21 22:23:42 EST 2006

On Tue, Mar 21, 2006 at 05:45:30PM -0800, jianping jiang wrote:

> I am trying to use EAP-FAST under Windows XP SP2. I am using WPA-Supplicant
> 5.2. So far no luck. I am wondering if anyone has made it work under
> Windows. And here is my configuration and output messages. I have changed
> several parameters back and forth, but still not working. I'll appreciate if
> you can point out any mistake. Thanks!

I've tested EAP-FAST under WinXP, but not with this 0.5.2 version. It
looks like you have actually been able to complete provisioning step
since wpa_supplicant was able to read a PAC. Something is then going
wrong during the TLS handshake for normal authentication:

> EAP-FAST: A-ID - hexdump_ascii(len=16):
>      4c 4f 43 41 4c 20 52 41 44 49 55 53 20 53 45 52   LOCAL RADIUS SER
> EAP-FAST: PAC found for this A-ID

It looks like you are using the internal EAP-FAST authentication server
in an Cisco AP. Is that the case? Which Cisco model is this and which
firmware version are you using? I tested the local authentication server
long time ago, but have been mostly testing against Cisco ACS lately.

> EAP: Received EAP-Request id=3 method=43 vendor=0 vendorMethod=0
> EAP: EAP entering state METHOD
> SSL: Received packet(len=594) - Flags 0x81
> SSL: TLS Message Length: 584
> EAP-FAST: client_random - hexdump(len=32): 44 20 ab 13 3c 51 4c b4 fd b5 86
> 7b d
> e 88 31 9a f6 79 6d 03 22 c9 0c 5b e5 f1 1e 80 92 dc 10 9c
> EAP-FAST: server_random - hexdump(len=32): d3 f8 78 7b 75 d3 f8 36 19 47 31
> 19 c
> f 19 47 b6 0d 61 7f 64 bc 0d 61 70 59 5a 14 74 9f 59 5a bb
> EAP-FAST: TLS pre-master-secret - hexdump(len=48): [REMOVED]
> SSL: (where=0x4008 ret=0x22f)
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:illegal
> parameter
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello B
> OpenSSL: tls_connection_handshake - SSL_connect error:14092105:SSL
> routines:SSL3
> _GET_SERVER_HELLO:wrong cipher returned

Hmm.. OpenSSL did not like the TLS ServerHello. I don't remember seeing
this particular error before. Would it be possible for you to capture
these initial messages (ClientHello and this ServerHello) and send a
capture file for further analysis? This can be done either locally on
the client (e.g., with Ethereal) or with a wireless sniffer.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list