integrated eap server

ali asin ali.asin at gmail.com
Sun May 11 07:57:50 EDT 2008


Hi all!
I'm trying to set a hostap (version updated today) with wpa-eap with with
TLS with integrated EAP instead of Radius (a very simple configuration).
However, I've been trying without success, I don't know what else can I do.

My hostapd.conf looks like (I only quote the lines related to wpa):
ieee8021x=1
wpa=3
eap_server=1
eap_user_file=user_file
ca_cert=/etc/cert/cacert.pem
server_cert=/etc/cert/newcert.pem (includes private key in cert).
private_key_passwd="password"
wpa_key_mgmt=EAP
auth_algs=3

And the wpa_supplicant.conf:
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=1
network={
        ssid="prueba"
       proto=WPA
        key_mgmt=WPA-EAP
       pairwise=TKIP
      group=TKIP
        eap=TLS
        identity="cucu at test.com"
        ca_cert="cacert.pem"
        client_cert="newcert.pem"
        private_key="newkey.pem"
        private_key_passwd="password"
}

The output from hostapd is:
eapol_version=2
TLS: Trusted root certificate(s) loaded
madwifi_set_privacy: enabled=0
madwifi_sta_deauth: Failed to deauth STA (addr ff:ff:ff:ff:ff:ff reason 3)
Could not connect to kernel driver.
Using interface ath0 with hwaddr 00:15:6d:63:a6:45 and ssid 'prueba'
madwifi_set_ieee8021x: enabled=1
madwifi_configure_wpa: group key cipher=1
madwifi_configure_wpa: pairwise key ciphers=0xa
madwifi_configure_wpa: key management algorithms=0x1
madwifi_configure_wpa: rsn capabilities=0x0
madwifi_configure_wpa: enable WPA=0x3
WPA: group state machine entering state GTK_INIT (VLAN-ID 0)
GMK - hexdump(len=32): [REMOVED]
GTK - hexdump(len=32): [REMOVED]
WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)
madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00 key_idx=1
madwifi_set_privacy: enabled=1
madwifi_set_iface_flags: dev_up=1
ath0: Setup of interface done.
l2_packet_receive - recvfrom: Network is down
Wireless event: cmd=0x8b1a len=15
Wireless event: cmd=0x8c03 len=20
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.11: associated
  New STA
ath0: STA 00:0b:6b:80:c8:8e WPA: event 1 notification
madwifi_del_key: addr=00:0b:6b:80:c8:8e key_idx=0
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: start authentication
EAP: State machine created
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_KEY_TX entering state NO_KEY_TRANSMIT
IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:0b:6b:80:c8:8e CTRL_DIR entering state IN_OR_BOTH
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state IDLE
IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
IEEE 802.1X: 00:0b:6b:80:c8:8e CTRL_DIR entering state FORCE_BOTH
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e KEY_RX entering state NO_KEY_RECEIVE
ath0: STA 00:0b:6b:80:c8:8e WPA: start authentication
WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state INITIALIZE
madwifi_del_key: addr=00:0b:6b:80:c8:8e key_idx=0
WPA: 00:0b:6b:80:c8:8e WPA_PTK_GROUP entering state IDLE
WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state AUTHENTICATION
WPA: 00:0b:6b:80:c8:8e WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state DISCONNECTED
madwifi_set_sta_authorized: addr=00:0b:6b:80:c8:8e authorized=0
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 28 bytes from 00:0b:6b:80:c8:8e
   IEEE 802.1X: version=2 type=0 length=24
   EAP: code=2 identifier=103 length=24 (response)
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: received EAP packet (code=2 id=103
len=24) from STA: EAP Response-Identity (1)
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: STA identity 'cucu at test
.com'
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state RESPONSE
EAP: EAP-Response received - hexdump(len=24): 02 67 00 18 01 61 6c 69 63 69
61 40 6c 69 62 65 6c 69 75 6d 2e 63 6f 6d
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=103 respMethod=1 respVendor=0
respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=19):
     61 6c 69 63 69 61 40 6c 69 62 65 6c 69 75 6d 2e   cucu at test.
     63 6f 6d                                          com
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 13
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 104
EAP: EAP entering state SEND_REQUEST
EAP: eapReqData -> EAPOL - hexdump(len=6): 01 68 00 06 0d 20
EAP: EAP entering state IDLE
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:0b:6b:80:c8:8e (identifier 104)
TX EAPOL - hexdump(len=24): 00 0b 6b 80 c8 8e 00 15 6d 63 a6 45 88 8e 02 00
00 06 01 68 00 06 0d 20
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 10 bytes from 00:0b:6b:80:c8:8e
   IEEE 802.1X: version=2 type=0 length=6
   EAP: code=2 identifier=104 length=6 (response)
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: received EAP packet (code=2 id=104
len=6) from STA: EAP Response-Nak (3)
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state RESPONSE
EAP: EAP-Response received - hexdump(len=6): 02 68 00 06 03 00
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=104 respMethod=3 respVendor=0
respVendorMethod=0
EAP: EAP entering state NAK
EAP: processing NAK (current EAP method index 1)
EAP: configured methods - hexdump(len=64): 00 00 00 00 0d 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
EAP: list of methods supported by the peer - hexdump(len=1): 00
EAP: new list of configured methods - hexdump(len=64): 00 00 00 00 0d 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00
EAP: EAP entering state SELECT_ACTION
*EAP: getDecision: no more methods available -> FAILURE*
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=104)
EAP: eapReqData -> EAPOL - hexdump(len=4): 04 68 00 04
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state FAIL
IEEE 802.1X: Sending EAP Packet to 00:0b:6b:80:c8:8e (identifier 104)
TX EAPOL - hexdump(len=22): 00 0b 6b 80 c8 8e 00 15 6d 63 a6 45 88 8e 02 00
00 04 04 68 00 04
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:0b:6b:80:c8:8e AUTH_PAE entering state HELD
madwifi_set_sta_authorized: addr=00:0b:6b:80:c8:8e authorized=0
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: unauthorizing port
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: authentication failed - EAP type: 0
(Unknown)
ath0: STA 00:0b:6b:80:c8:8e IEEE 802.1X: Supplicant used different EAP type:
3 (Nak)
IEEE 802.1X: 00:0b:6b:80:c8:8e BE_AUTH entering state IDLE
IEEE 802.1X: 00:0b:6b:80:c8:8e REAUTH_TIMER entering state INITIALIZE
(and inifinite loop with this message)

It seems the fail is in the bold line, but I dont know why...

Any idea about this? Does anybody get to set up this configuration?
Thanks in  advance!
Alicia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080511/6969c45e/attachment.htm 


More information about the HostAP mailing list