Empty EAP-FAST exchange after Phase 1 authentication

Eric Fung efung at acm.org
Tue Jun 26 16:59:07 EDT 2007


I noticed that hostapd expects an empty EAP-FAST Request/Response exchange 
after Phase 1 Authentication (using a valid PAC-Opaque) completes successfully 
before proceeding to Phase 2. RFC 4851 does not show this exchange, but shows 
TLVs being sent inside the tunnel immediately in the next message.

(I am using hostapd built from source retrieved from GIT yesterday, against an 
OpenSSL snapshot from last night with the 0.9.9 SessionTicket patch applied.)

Here is a portion of the log I'm seeing. The empty request is marked with >>> 
below.

EAP-FAST: Received packet(len=69) - Flags 0x81
EAP-FAST: TLS Message Length: 59
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3 read finished A
SSL: (where=0x20 ret=0x1)
SSL: (where=0x2002 ret=0x1)
SSL: 0 bytes pending from ssl_out
SSL: No data to be sent out
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 49
EAP-FAST: Phase1 done, starting Phase2
EAP-FAST: master_secret for key expansion - hexdump(len=48): 9a c8 17 59 fa 1f 
e1 54 5d 2f aa 9a af 9e fc 63 37 54 35 83 32 36 c7 5b 10 7e 75 99 c6 bd 77 f7 
74 e0 cb 45 26 8e 55 b5 a6 33 58 8d 84 c1 2f 6e
EAP-FAST: session_key_seed (SKS = S-IMCK[0]) - hexdump(len=40): fb fb f4 b1 44 
90 5e 3c 59 d8 ea 4a e3 c1 c9 ab 2b a5 33 8e 27 ba 07 43 bd 98 f7 a5 a4 3f 6d 
b6 e9 93 70 79 b6 7e 73 cf
EAP-FAST: PHASE1 -> PHASE2_START
EAP: EAP entering state SEND_REQUEST
 >>>EAP: eapReqData -> EAPOL - hexdump(len=6): 01 31 00 06 2b 01
EAP: EAP entering state IDLE
IEEE 802.1X: 00:0f:cb:fa:da:7a BE_AUTH entering state REQUEST
ath0: STA 00:0f:cb:fa:da:7a IEEE 802.1X: Sending EAP Packet (identifier 49)
TX EAPOL - hexdump(len=24): 00 0f cb fa da 7a 00 0f cb fa 18 f3 88 8e 02 00 00 
06 01 31 00 06 2b 01
IEEE 802.1X: 00:0f:cb:fa:da:7a REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 10 bytes from 00:0f:cb:fa:da:7a
    IEEE 802.1X: version=1 type=0 length=6
    EAP: code=2 identifier=49 length=6 (response)
ath0: STA 00:0f:cb:fa:da:7a IEEE 802.1X: received EAP packet (code=2 id=49 
len=6) from STA: EAP Response-FAST (43)
IEEE 802.1X: 00:0f:cb:fa:da:7a BE_AUTH entering state RESPONSE
EAP: EAP-Response received - hexdump(len=6): 02 31 00 06 2b 01
IEEE 802.1X: 00:0f:cb:fa:da:7a REAUTH_TIMER entering state INITIALIZE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=49 respMethod=43 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-FAST: Received packet(len=6) - Flags 0x01
EAP-FAST: PHASE2_START -> PHASE2_ID
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 50
EAP-FAST: Phase 2 EAP-Request - hexdump(len=5): 01 32 00 05 01
EAP-FAST: Add EAP-Payload TLV
EAP-FAST: Encrypting Phase 2 TLVs - hexdump(len=9): 80 09 00 05 01 32 00 05 01
EAP: EAP entering state SEND_REQUEST
EAP: eapReqData -> EAPOL - hexdump(len=80): 01 32 00 50 2b 01 17 03 01 00 20 13 
e4 2e 34 8e 36 f3 17 e6 34 0c 93 fa 86 27 64 ec 37 6b 89 5a 94 d4 96 19 b0 1c 
1d f6 bd 30 d5 17 03 01 00 20 8f 7c 6d ce e3 61 b6 29 4e 3c 41 4c 7f 0c 36 2e 
0b f3 eb 72 db 2e a5 4c 8f ae a7 fd 15 44 86 60
EAP: EAP entering state IDLE
IEEE 802.1X: 00:0f:cb:fa:da:7a BE_AUTH entering state REQUEST
ath0: STA 00:0f:cb:fa:da:7a IEEE 802.1X: Sending EAP Packet (identifier 50)
TX EAPOL - hexdump(len=98): 00 0f cb fa da 7a 00 0f cb fa 18 f3 88 8e 02 00 00 
50 01 32 00 50 2b 01 17 03 01 00 20 13 e4 2e 34 8e 36 f3 17 e6 34 0c 93 fa 86 
27 64 ec 37 6b 89 5a 94 d4 96 19 b0 1c 1d f6 bd 30 d5 17 03 01 00 20 8f 7c 6d 
ce e3 61 b6 29 4e 3c 41 4c 7f 0c 36 2e 0b f3 eb 72 db 2e a5 4c 8f ae a7 fd 15 
44 86 60
IEEE 802.1X: 00:0f:cb:fa:da:7a REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 63 bytes from 00:0f:cb:fa:da:7a
    IEEE 802.1X: version=1 type=0 length=59
    EAP: code=2 identifier=50 length=59 (response)
ath0: STA 00:0f:cb:fa:da:7a IEEE 802.1X: received EAP packet (code=2 id=50 
len=59) from STA: EAP Response-FAST (43)
IEEE 802.1X: 00:0f:cb:fa:da:7a BE_AUTH entering state RESPONSE
EAP: EAP-Response received - hexdump(len=59): 02 32 00 3b 2b 01 17 03 01 00 30 
39 66 10 4a 3b 15 46 3c c0 f6 b5 82 9d ac 8d e0 a5 9d ce 3f fc 87 73 d5 ac c1 
0d 6a c6 ea 58 20 01 58 e1 09 17 69 1c bd 7e 39 7a 3d d7 e5 3e f1
IEEE 802.1X: 00:0f:cb:fa:da:7a REAUTH_TIMER entering state INITIALIZE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=50 respMethod=43 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-FAST: Received packet(len=59) - Flags 0x01
EAP-FAST: Received 53 bytes encrypted data for Phase 2
EAP-FAST: Decrypted Phase 2 TLVs - hexdump(len=14): 80 09 00 0a 02 32 00 0a 01 
74 2d 67 74 63
EAP-FAST: Received Phase 2: TLV type 9 length 10 (mandatory)
EAP-FAST: EAP-Payload TLV - hexdump(len=10): 02 32 00 0a 01 74 2d 67 74 63
EAP-FAST: Received Phase 2: code=2 identifier=50 length=10



More information about the HostAP mailing list