HostAPD and WPA_supplicant interaction for EAP-FAST

Thu Oct 29 17:40:26 EDT 2009

Hi All:
I got a question with the HostAPD and WPA_supplicant.

My set up has A linux machine running HostAPD RADIUS Server (PEAPv0, PEAPv1,
TTLS, TLS, FAST, AKA, SIM), my wireless client is a windows XP based client
using Cisco LinkSYS 11n card. It runs wpa_supplicant to connect to the
wireless network. My ESS is called foo running WPA2 Enterprise. External
RADIUS server is used.

The HostAPD config from the RADIUS Server machine:

< snip >
driver=none
radius_server_clients=hostapd.
radius_clients
radius_server_auth_port=1812

# Enable EAP server
eap_server=1
eap_user_file=hostapd.eap_user

# TLS parameters (shared by EAP-PEAP, EAP-TTLS, EAP-FAST)
ca_cert=cacert.pem
# Server certificate and private key from separate files
server_cert=srv.pem
private_key=srv.key

# Diffie-Hellman parameters
dh_file=hostapd.dh

# EAP-FAST parameters
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
eap_fast_a_id=0123456789abcdef
eap_fast_a_id_info=hostapd test server
eap_fast_prov=1
# expire PACs in ten minutes
pac_key_lifetime=600
pac_key_refresh_time=0

< snip >

The config file for wpa_supplicant is like this:

<snip>
network = {
ssid="foo"
key-mgmt=WPA-EAP
proto=WPA2
pairwise=CCMP

eap=FAST
pac_file="c:\dirofwpasupp\fast-mschapv2.pac"
phase1="fast_provisioning=1"
phase2="auth=mschapv2"
ca_cert="cacert.pem"
anonymous_identity="anonymous"
identity="user1"
password="password1"
}

<snip>

The pem files are stored both the in the server and the client. After the
HostAPD is started on the linux machine, wpa_supplicant is used to connect
the client to the network. I am getting an error message like

"EAP-FAST: No Pac File 'c:\dirofwpasupp\fast-mschapv2.pac' - assume no PAC
entries have been provisioned.
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected.
CTRL-EVENT-EAP-FAILURE EAP authentication failed.

Can somebody please let me know if the above configuration is correct?

I captured the packets in the air between the Access Point and the Station:
The EAP FAST REQUEST packet from AP to STA has the EAP FAST start bit set.
The SSL Secure Sockets Layer shows as "Unrecognized SSL Layer" - SSL Data
Cannot be Recognized".
The EAP RESPONSE packet from STA to AP has the client hello with
TLS_DH_anon_WITH_AES_128_CBC_SHA in the Cipher Specs field.

I got few questions on the PAC files:
Where does the PAC file get created? On the Linux machine that runs the
hostapd or the windows machine that runs the wpa_supplicant.
Would it be created automatically on the client?
Also how do I use Juniper Access Client to work in EAP FAST method. I
checked with Juniper document but to no avail. Any helpful pointer would be
great.
Thanks.

-- 
Regards,
Rajan Vijayaraghavan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20091030/4edd6548/attachment.htm 