Help!Problems when eap=ttls.

Jouni Malinen j at
Tue May 13 09:04:43 EDT 2008

On Tue, May 13, 2008 at 11:04:50AM +0800, 娟 严 wrote:

>     When I set eap type to ttls,wpa_supplicant will fail to authenticate with
> 1)I copy the cacert.pem from the to /etc/cert/cacert.pem
> I have a question,is it a must to set the value of ca_cert in wpa_supplicant.conf,as I know,
> ttls only require the certificate of server.

In order to achieve secure authentication, yes, ca_cert has to be
configured to make the supplicant authenticate the server. Sure, the
connection would "work" if ca_cert is not set, but that would mean that
only the client is authenticated and there is no protection against
man-in-the-middle attacks.

> EAP: Ignored truncated EAP-Packet (len=22 plen=2091)

This looks quite odd.. I don't know what exactly is being received here.

> The logs of freeRadius are as follows:

>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>     TLS_accept: SSLv3 write server done A

> Sending Access-Challenge of id 251 to port 1812
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "1"
>         ......
>         EAP-Message = 0x0306082b0601050507030406082b0601050507030806

This EAP message looks truncated.. It looks like something odd happened
in FreeRADIUS..

> I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.
> 1.And the first packet is EAPOL Start;
> 2.Then switch send a Request Identity packet;
> 3.Then wpa_supplicant send a Response,Identitiy packet;
> 4.Then swith send a Request,EAP-TTLS[Funk] packet;
> 5.Then wpa_supplicant sent a Client Hello packet;

This seemed to match with the debug logs from the client and server.

> 6.Then switch send 2 EAP Success packets;//Why does the switch send success packets? 

This is odd and looks like a server issue.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list