Is there any inter-operating tests experience with "BridgeWater Systems's AAA Server"?

Jouni Malinen j at w1.fi
Mon Feb 4 21:52:12 EST 2008


On Mon, Feb 04, 2008 at 05:28:50PM +0800, Macpaul Lin wrote:

> I've used wpa-supplicant-0.5.7 to test EAP-TTLS/TLS with AAA Server
> which developed by "BridgeWater Systems".

> However, EAP-TLS always failed right away when "Client CA" and "Change
> cipher spec option" were sent by Auth client .

Could you please send me debug log from wpa_supplicant showing this
error?

> AAA server (Bridgewater Systems's solution) will show log on its own
> terminal "decrypt error". Then AAA server will response Auth Complete
> EAP packet with "Error code" then close the EAP connections.

Unfortunately, that does not sound like a very helpful error code..

> I've logged EAP-TLS handshaking messages.

Would it be possible for you to send me packet capture logs (e.g., with
Wireshark or tcpdump) that show both a successful EAP-TLS handshake with
another supplicant and the failed one from wpa_supplicant test?

I'm not familiar with this AAA server, but in general, EAP-TLS is one of
the most interoperable EAP methods available.. It has worked with every
server I've tested with so far. As such, I would suspect that there
could be something wrong in the client configuration as far as the
certificate setup is concerned, but the "decrypt error" would not sound
like something that a server would likely show in such a case..

Do you use any complex certificate configurations (i.e., multiple CAs
and different intermediate CAs for the server and client, etc.)?

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list