WPA2-PEAP problems

Harshal Chhaya harshal at gmail.com
Thu Jul 14 08:40:48 EDT 2011


On Mon, Jul 4, 2011 at 1:38 PM, Jouni Malinen <j at w1.fi> wrote:
> On Thu, May 19, 2011 at 10:09:18PM -0500, Harshal Chhaya wrote:
>> Here is the output of a failed WPA2-PEAP handshake with '-ddK'. I
>> noticed 'EAP-PEAP: Length mismatch in Phase 2 EAP frame (len=75
>> hdr->length=76)' towards the end which seems to be where the failure
>> starts. The 'EAP: EAP entering state INTEGRITY_CHECK' message a little
>> later also looks odd. I am a little curious about this since this same
>> client is working with a freeRADIUS-based AP.
>
> I seem to be unable to reproduce this either on x86_64 or on an embedded
> MIPS device with OpenWRT. Did you figure out what the problem was or is
> this still an open issue? Which supplicant was used in the test? And
> the same questions would apply for the "EAP-PEAP: Unexpected
> Cryptobinding TLV SubType 0", too.

Jouni,

Thanks for following up on this. We saw the problem happen on a
OMAP3-based (i.e. ARM) system. But I think what's more relevant is
that the client is using an older version of the dot1X supplicant from
Mentor Graphics (as part of the Nucleus RTOS). It's possible that the
supplicant has some strange bug that causes this problem. Unfortunately,
we don't have the option of updating the supplicant (this new AP has to
work with clients that are already in the field).

I was really keen to use the authenticator built-in to hostapd but we
had to fall back to using freeRADIUS for now.

If you need more logs or any further details, please let me know.

Thanks again for all your help.
- Harshal


More information about the HostAP mailing list