WPA - AP Association Issue

Jouni Malinen j at w1.fi
Sun Nov 25 23:26:15 EST 2007

On Fri, Nov 23, 2007 at 09:07:57AM +0530, Mr. Maloomnahi wrote:

> I have mentioned below the CONF file for the SAKE and PAX as phase 2 with TTLS. Can you suggest what are the possible settings required or mistakes I have made on the same?

> As phase 1 what are the settings we can make for the same EAP methods?

If you remove ca_cert and phase2 from the configuration and set
eap=SAKE/PAX, the wpa_supplicant configuration should work for phase 1

> TTLS PAX - Below

> network={
>         eap=TTLS
>         ca_cert="/etc/hostapd.server.pem"
>         client_cert="/etc/hostapd.ca.pem"
>         private_key="/etc/hostapd.server.prv"
>         identity="ttls"
>         psk="XXXX"
>         private_key_passwd="XXXX"

client_cert, private_key, and private_key_passwd are not normally used
with EAP-TTLS, so I would remove them. psk is not used with IEEE 802.1X
or WPA-Enterprise, so that can also be removed. If that identity is
trying to set the phase 1 identity, it should be anonymous_identity.

>         phase2="autheap=PAX"
>         eappsk=0123456789abcdef0123456789abcdef
>         nai="pax.user at example.com"
>         identity="semco"

This identity is actually overriding the previous one.. In this kind of
configuration, anonymous_identity sets the phase 1 identity and identity
is only used in phase 2.

>         pin="1234"
>         pcsc=""

These are only for EAP-SIM and EAP-AKA, so could be removed from here.

> hostpad.eap_user has new identities as "semco" and same password as XXXX

"semco" would need to be added with an entry to trigger PAX/SAKE for the
user, but its password is not actually used. the real EAP-PAX/SAKE
password comes from an entry that has the full NAI (i.e.,
"pax.user at example.com" in this configuration). Furthermore, the trigger
to start PAX would need to be defined for phase 2, if you want to use
this inside EAP-PEAP/TTLS/FAST tunnel.

In other words, for phase 1 (no tunnel) EAP-PAX:

"semco"	PAX	"unknown"
"pax.user at example.com"	PAX	0123456789abcdef0123456789abcdef

for phase 2 (in tunnel) EAP-PAX:

"semco"	PAX	"unknown"	[2]
"pax.user at example.com"	PAX	0123456789abcdef0123456789abcdef

The "unknown" password is not actually used, but that entry or a
wildcard entry for that matter is needed to allow EAP-PAX to be started;
the real password from the full NAI entry can be shared for both cases,
so it would be possible to use the same password for both cases and
enable PAX for both phases:

"semco"	PAX	"unknown"
"semco"	PAX	"unknown"	[2]
"pax.user at example.com"	PAX	0123456789abcdef0123456789abcdef

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list