MSCHAPv2 Authentication

Bryan Kadzban bryan at kadzban.is-a-geek.net
Thu Mar 8 12:50:23 EST 2007


Your output:

On Thu, Mar 08, 2007 at 05:45:16PM +0100, Luca Merolla wrote:
> Scan results: 13
> Selecting BSS from priority group 3
> 0: 00:11:6b:11:67:d9 ssid='kamtjatkanet13' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 1: 00:11:6b:11:67:b9 ssid='kamtjatkanet10' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 2: 00:11:6b:11:67:ca ssid='kamtjatkanet12' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 3: 00:11:6b:11:67:bc ssid='kamtjatkanet7' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 4: 00:11:6b:11:67:c6 ssid='kamtjatkanet11' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 5: 00:11:6b:11:67:c9 ssid='kamtjatkanet8' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 6: 00:11:6b:11:67:b8 ssid='kamtjatkanet4' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 7: 00:11:6b:11:67:d2 ssid='kamtjatkanet15' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 8: 00:11:6b:11:67:cd ssid='kamtjatkanet14' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 9: 00:11:6b:11:67:b6 ssid='kamtjatkanet17' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 10: 00:11:6b:11:67:c7 ssid='kamtjatkanet5' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch
> 11: 00:11:6b:11:67:d4 ssid='kamtjatkanet15' wpa_ie_len=24 rsn_ie_len=0 caps=0x11
> skip - SSID mismatch

And then your config file:

> network={
>         ssid="kamtjatkanet"
>         scan_ssid=1
>         key_mgmt=WPA-EAP
>         proto=WPA2 WPA
>         eap=PEAP
>         pairwise=CCMP TKIP
>         group=CCMP TKIP
>         phase2="auth=MSCHAPV2"
>         identity="luca"
>         password="xxxxx"
> #        ca_cert="/etc/ssl/certs/Entrust.net_Secure_Server_CA.pem"
>         priority=3
> }

I see two issues here.  First, the SSID that you have configured doesn't
match any of the SSIDs being broadcast by any of the APs in your area.
It seems that most of the APs around you have been configured to use
some numeric suffix on the SSID that you have configured.  The SSIDs
need to match on the entire string, not just the prefix; I would guess
that whoever set this wireless network up needs to fix it so that
there's only one SSID, instead of 15 of them (or however many there
are).

It almost looks like they're trying to do something that's only
supported by accident, or only supported by the Microsoft supplicant;
there's no way that a correct 802.11-compliant station will associate
with a correct 802.11-compliant AP when their SSIDs don't match.  This
may also be the cause of the problem with all the third-party wireless
tools, but I don't know that for sure.  It doesn't really matter though,
either.

What you can do to work around this until the APs get fixed, is set your
ssid in the config file to "kamtjatkanet15" (or one of the other numeric
suffixes).  Then one of the APs that services that SSID will match in the
scan results, and wpa_supplicant will try to associate with it.

The second issue is that you've specified scan_ssid=1, but you have more
than one option for proto, pairwise, and group -- I don't know whether
this works or not.  I would start by removing the scan_ssid line, but if
that doesn't work, I'd try adding it back in and fixing proto, pairwise,
and group.  (From your description, it sounds like you will need to use
WPA, TKIP, and TKIP, respectively.  But it's better to leave those
parameters unspecified and let the supplicant figure out which values to
use based on the beacon information, rather than having the supplicant
send a specific probe request.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20070308/c3439dde/attachment.pgp 


More information about the HostAP mailing list