LEAP Failure

Kent Peacock Kent.Peacock at oracle.com
Wed Oct 5 17:50:46 EDT 2011


I've got a situation where LEAP doesn't finish its authentication 
correctly. This is a port of wpa_supplicant to a thin client device, and 
  I'm using a hardwired Catalyst 2950 switch, with a FreeRADIUS backend 
server. On the thin client, I get this (truncated):

TX EAPOL 01010000
RX EAPOL 010000050101000501
TX EAPOL 0100000902010009016b656e74
RX EAPOL 01000016010200160410f23b86493fe5c20c0ab85f4bb08df441
TX EAPOL 01000006020200060311
RX EAPOL 010000140103001411010008f50abd499f89ac126b656e74

EAP-LEAP: Processing EAP-Request
EAP-LEAP: Challenge from AP  f5 0a bd 49 9f 89 ac 12
EAP-LEAP: Generating Challenge Response
EAP-LEAP: Response  622e4d725cde61a45f305a1a622cf855b5093e8d3a38e9e7

TX EAPOL 
010000240203002411010018622e4d725cde61a45f305a1a622cf855b5093e8d3a38e9e
76b656e74
RX EAPOL 0100000403040004

EAP-LEAP: Processing EAP-Success
EAP-LEAP: Challenge to AP/AS  cca9ad1406f56cbb

TX EAPOL 010000140105001411010008cca9ad1406f56cbb6b656e74
RX EAPOL 0100000403040004	<----- Huh?

EAP-LEAP: Processing EAP-Success
EAP-LEAP: EAP-Success received in unexpected state (2) - ignored

RX EAPOL 0100000404040004

Restarts and tries again:

RX EAPOL 010000050105000501
...

and on the RADIUS server, I see this:

EAP-Message = 0x02010009016b656e74
EAP-Message = 0x010200160410f23b86493fe5c20c0ab85f4bb08df441
EAP-Message = 0x020200060311
EAP-Message = 0x0103001411010008f50abd499f89ac126b656e74
EAP-Message = 
0x0203002411010018622e4d725cde61a45f305a1a622cf855b5093e8d3a38e9e7
6b656e74
EAP-Message = 0x03040004

AP/AS Challenge is not received, but Identity response for retry comes 
through:

EAP-Message = 0x02050009016b656e74
...


The problem seems to be that the Catalyst switch is not passing through 
the AS/AP challenge from the client to the RADIUS server, but instead 
responds to the challenge with another EAP-Success. It occurred to me 
that it might be because the request ID on the challenge was the same as 
the EAP-Success, so I bumped it up one, but that didn't seem to help. I 
suspect a problem with the switch, but was wondering if anyone has seen 
this sort of thing before.

Kent Peacock



More information about the HostAP mailing list