HostAPD and WPA_supplicant interaction for EAP-FAST

Jouni Malinen j at w1.fi
Fri Oct 30 11:58:03 EDT 2009


On Fri, Oct 30, 2009 at 03:10:26AM +0530, Rajan Vijayaraghavan wrote:

> The config file for wpa_supplicant is like this:

> eap=FAST
> pac_file="c:\dirofwpasupp\fast-mschapv2.pac"
> phase1="fast_provisioning=1"
> phase2="auth=mschapv2"

That is supposed to be phase2="auth=MSCHAPV2"

> The pem files are stored both the in the server and the client. After the
> HostAPD is started on the linux machine, wpa_supplicant is used to connect
> the client to the network. I am getting an error message like
> 
> "EAP-FAST: No Pac File 'c:\dirofwpasupp\fast-mschapv2.pac' - assume no PAC
> entries have been provisioned.

That is not an error message.

> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected.

And neither is that one.

> CTRL-EVENT-EAP-FAILURE EAP authentication failed.
> 
> Can somebody please let me know if the above configuration is correct?

I noticed one error in the wpa_supplicant configuration. If fixing that
does not resolve the problem, I would suggest taking a look at
wpa_supplicant debug log (run it with -dd on command line).

> I captured the packets in the air between the Access Point and the Station:
> The EAP FAST REQUEST packet from AP to STA has the EAP FAST start bit set.
> The SSL Secure Sockets Layer shows as "Unrecognized SSL Layer" - SSL Data
> Cannot be Recognized".

The tool that you used to parse the message does not seem to be able to
handle the EAP-FAST Start message correctly (it does not actually
include any SSL data).

> Where does the PAC file get created? On the Linux machine that runs the
> hostapd or the windows machine that runs the wpa_supplicant.
> Would it be created automatically on the client?

The PAC file itself is created on the client. The PAC key stored in this
file is generated by the authentication server (hostapd in this case).

> Also how do I use Juniper Access Client to work in EAP FAST method. I
> checked with Juniper document but to no avail. Any helpful pointer would be
> great.

That would be a question for Juniper, not this mailing list..

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list