Help!!! ACS4.1 wpa_supplicant_0.5.10 eap-fast

Jouni Malinen j at w1.fi
Fri Oct 31 08:55:34 EDT 2008


On Fri, Oct 31, 2008 at 10:49:44AM +0800, 娟 严 wrote:

>     I am now using wpa_supplicant_0.5.10 to implement eap-fast feature,and when I authenticate my wpa_supplicant with CISCO ACS4.1 radius server,ACS4.1 always send Access-Reject.

Are you trying to use unauthenticated or authenticated provisioning for
EAP-FAST?

>     Authenticating Peer     Authenticaton
> ......
>        Intermediate-Result TLV (Success)
>        Crypto-Binding TLV(Response) ->
>                                 <- Result TLV (Success)
>                                   [Optional PAC TLV]
>        Result TLV (Success)
>        [PAC TLV Acknowledgment] ->
>        TLS channel torn down
>        (messages sent in clear text)
>                                <-Reject
>  
> ACS4.1 radius server reports: "EAP-FAST user was provisoned with new PAC"

This is the expected behavior of unauthenticated (anonymous)
provisioning in EAP-FAST. The authentication server is supposed to
reject the provisioning phase and once the provisioned PAC is used in
the next attempt (i.e., the first real authentication), the server can
then accept the connection.


> wpa_supplicant logs are as follows:

> EAP-FAST: No PAC found - starting provisioning
> OpenSSL: cipher suites: ADH-AES128-SHA

>      41 43 53 20 4e 41 43 20 53 65 72 76 65 72         ACS NAC Server  
> EAP-FAST: wrote 1 PAC entries into '/tmp/wpa_supplicant.eap-fast-pac'
> EAP-FAST: Send PAC-Acknowledgement TLV - Provisioning completed successfully
> pac ack info - hexdump(len=16): 80 03 00 02 00 01 80 0b 00 06 00 08 00 02 00 01
> EAP: Received EAP-Failure


This all looks correct. The next connection attempt should then use the
provisioned PAC from /tmp/wpa_supplicant.eap-fast-pac.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list