Wired network and CISCO ACS

Jouni Malinen jkmaline at cc.hut.fi
Wed Mar 29 09:34:12 EST 2006


On Wed, Mar 29, 2006 at 08:42:25AM +0200, Dario Meloni wrote:

> == Configuration

...

> 	eapol_flags=1

Wired connection is unlikely to distribute encryption keys so
eapol_flags should be set to 0 or removed complete.

> EAP-PEAP: Start (server ver=1, own ver=1)
> EAP-PEAP: Using PEAP version 1

The first PEAP message from the authentication server is received
successfully.. 

> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A
> SSL: SSL_connect - want more data
> SSL: 101 bytes pending from ssl_out
> SSL: 101 bytes left to be sent out (of total 101 bytes)

And this is the ClientHello messsage from the supplicant..

> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> EAPOL: SUPP_BE entering state RECEIVE

However, the server does not seem to answer to it. Since you are using
Cisco ACS, I would recommend testing with include_tls_length=1 added to
the phase1 parameter. Some versions of ACS seem to require that TLS
Message Length is in the messages even if they are not fragmented.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list