eapol_test tool against other servers than freeradius

Dana Blanaru dana.blanaru at gmail.com
Wed Jun 18 03:48:08 EDT 2008


I didn't send the entire log. The next lines indicate failure, but I think
it's because my server sends an Access-Reject:

EAPOL: SUPP_BE entering state
RECEIVE

Received 44 bytes from RADIUS
server

Received RADIUS
message

RADIUS message: code=3 (Access-Reject) identifier=1
length=44
   Attribute 79 (EAP-Message)
length=6

      Value: 04 02 00
04

   Attribute 80 (Message-Authenticator)
length=18
      Value: 4c 69 e1 e2 28 03 5f 02 0d 5b 70 0d 73 36 ba
18
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.09 sec


RADIUS packet matching with
station

decapsulated EAP packet (code=4 id=2 len=4) from RADIUS server: EAP
Failure
EAPOL: Received EAP-Packet
frame

EAPOL: SUPP_BE entering state
REQUEST

EAPOL:
getSuppRsp

EAP: EAP entering state
RECEIVED

EAP: Received
EAP-Failure

EAP: Workaround for unexpected identifier field in EAP Success: reqId=2
lastId=1 (these are supposed to be same)
EAP: EAP entering state
FAILURE

CTRL-EVENT-EAP-FAILURE EAP authentication
failed
EAPOL: SUPP_PAE entering state
HELD

EAPOL: SUPP_BE entering state
RECEIVE

EAPOL: SUPP_BE entering state
FAIL

EAPOL: SUPP_BE entering state
IDLE

eapol_sm_cb:
success=0

EAPOL: EAP key not
available

EAPOL: EAP key not
available

EAP: deinitialize previously used EAP method (13, TLS) at EAP
deinit
ENGINE: engine
deinit

MPPE keys OK: 0  mismatch:
2

FAILURE

I am going to look into the errors generated by my server. But first I need
to be sure that certificates are ok on both sides.

But you confused me with something. You said that I don't need to set a
server certificate for the client. But EAP-TLS requires both client and
server certificates. On the freeradius for example i have specified the path
of the server certificate in eap.conf file - tls module. So I guess
eapol_test is looking after the server certificate in the case of EAP-TLS,
right?
Please clarify this for me and excuse my questions that might sound dumb for
you.




On Fri, Jun 13, 2008 at 4:41 PM, Jouni Malinen <j at w1.fi> wrote:

> On Fri, Jun 13, 2008 at 03:44:59PM +0200, Dana Blanaru wrote:
>
> > Though I have errors related to the server certificate... The server
> > certificate (server_keycert.pem: the certificate and private key are in
> the
> > same file) is on the server side, but maybe eapol_test expects it to be
> at a
> > specific path? Or to be in a different format?
>
> Server? You should not need to configure server certificate (and
> certainly not the server private key) for the client. Anyway, the
> "errors" here are actually warnings. wpa_supplicant/eapol_test asks
> OpenSSL to first load the file as a DER file and that fails since you
> are using PEM format. When OpenSSL is asked to load the data in PEM
> format, that goes through without problems. In other words, the log you
> sent did not indicate any real problems.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080618/8fc93ee6/attachment.htm 


More information about the HostAP mailing list