Wired network and CISCO ACS

Jouni Malinen jkmaline at cc.hut.fi
Wed Mar 29 09:34:12 EST 2006

On Wed, Mar 29, 2006 at 08:42:25AM +0200, Dario Meloni wrote:

> == Configuration


> 	eapol_flags=1

Wired connection is unlikely to distribute encryption keys so
eapol_flags should be set to 0 or removed complete.

> EAP-PEAP: Start (server ver=1, own ver=1)
> EAP-PEAP: Using PEAP version 1

The first PEAP message from the authentication server is received

> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A
> SSL: SSL_connect - want more data
> SSL: 101 bytes pending from ssl_out
> SSL: 101 bytes left to be sent out (of total 101 bytes)

And this is the ClientHello messsage from the supplicant..

> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> EAPOL: SUPP_BE entering state RECEIVE

However, the server does not seem to answer to it. Since you are using
Cisco ACS, I would recommend testing with include_tls_length=1 added to
the phase1 parameter. Some versions of ACS seem to require that TLS
Message Length is in the messages even if they are not fragmented.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list