Interworking and its creds

Dr. Ajay N. Khosla drkhosla at ankhnet.net
Sun Aug 19 09:33:20 EDT 2012


Thankyou Jouni, I will change roaming_consortium from ASCII to binary hex and I am sure it will work.

I am little bit confused, can we use EAP-SIM/EAP-AKA (instead of PEAP/TLS/TTLS) in case we enforce WPA2-Enterprise in HS2.0. If we used EAP-SIM/EAP-AKA then phase2 of MSCHAPv2 is not be required.

Dr. Ajay N. Khosla

> On Sat, Aug 18, 2012 at 07:48:00AM +0530, Dr. Ajay N. Khosla wrote:
> > I have created two interworking and HS2.0 ssid TEST-Open (with out
> > any key) and TEST-80211u (with WPA2-Enterprise). The hostapd.conf
> > contain following parameter

> You cannot have an open network with HS 2.0. hostapd did not enforce
> this, but I'll make it reject that configuration so that only the
> WPA2-Enterprise case can use hs20=1 parameter.

> > I created configuration file wpa_supplicant.conf
> > cred={
> > roaming_consortium="2233445566"

> That value is not in correct format. The roaming consortium OI is a
> binary field and you would configure it as a hexdump, not ASCII
> string
> of those digits.. In other words:

> roaming_consortium=2233445566

> > > interworking_select
> > OK

> > <3>ANQP fetch completed
> > <3>CTRL-EVENT-DISCONNECTED bssid=02:27:22:e5:a0:2a reason=3
> > locally_generated=1
> > <3>CTRL-EVENT-SCAN-RESULTS
> > <3>SME: Trying to authenticate with 02:27:22:e5:a0:2a
> > (SSID='TEST-Open' freq=2437 MHz)
> > <3>Trying to associate with 02:27:22:e5:a0:2a (SSID='TEST-Open'
> > freq=2437 MHz)

> > The first one 02:27:22:e5:a0:2b is TEST-80211u and other
> > 02:27:22:e5:a0:2a is TEST-Open to which I are connected. After
> > interworking_select command it always disconnect and reconnected
> > to connected SSID.

> That reconnection was not supposed to be there with plain
> itnerworking_select, i.e., it should only happen with
> "interworking_select auto". I'll fix that in wpa_supplicant.

> > Now I wanted to connect ie. interworking_connect to TEST-80211u
> > (WPA2-Enterprise) using above mention cred. When I give command
> >
> > > interworking_connect 02:27:22:e5:a0:2b
> > FAIL

> This is expected - you cannot use interworking_connect unless you
> first
> see a network match, i.e., "INTERWORKING-AP" event in wpa_cli. There
> were no matches because of the incorrectly configured roaming
> consortium. With that fixed, the configuration file works fine:

> <3>CTRL-EVENT-SCAN-RESULTS
> <3>SME: Trying to authenticate with 02:00:00:00:02:00
> (SSID='TEST-Open' freq=2412 MHz)
> <3>Trying to associate with 02:00:00:00:02:00 (SSID='TEST-Open'
> freq=2412 MHz)
> <3>Associated with 02:00:00:00:02:00
> <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:02:00 completed
> (auth) [id=0 id_str=]
> >
> > interworking_select
> OK
> <3>Starting ANQP fetch for 02:00:00:00:01:00
> <3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
> <3>RX-ANQP 02:00:00:00:01:00 Venue Name
> <3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
> <3>RX-ANQP 02:00:00:00:01:00 Domain Name list
> <3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
> <3>Starting ANQP fetch for 02:00:00:00:02:00
> <3>RX-ANQP 02:00:00:00:02:00 ANQP Capability list
> <3>RX-ANQP 02:00:00:00:02:00 Venue Name
> <3>RX-ANQP 02:00:00:00:02:00 Roaming Consortium list
> <3>RX-ANQP 02:00:00:00:02:00 Domain Name list
> <3>RX-HS20-ANQP 02:00:00:00:02:00 HS Capability List
> <3>ANQP fetch completed
> <3>INTERWORKING-AP 02:00:00:00:01:00 type=home
> <3>INTERWORKING-AP 02:00:00:00:02:00 type=home
> > interworking_connect 02:00:00:00:01:00
> OK
> <3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:02:00 reason=3
> locally_generated=1
> <3>CTRL-EVENT-SCAN-RESULTS
> <3>SME: Trying to authenticate with 02:00:00:00:01:00
> (SSID='TEST-80211u' freq=2412 MHz)
> <3>Trying to associate with 02:00:00:00:01:00 (SSID='TEST-80211u'
> freq=2412 MHz)
> <3>Associated with 02:00:00:00:01:00
> <3>CTRL-EVENT-EAP-STARTED EAP authentication started
> <3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
> <3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
> <3>CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=wifi-server'
> <3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
> <3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP
> GTK=CCMP]
> <3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed
> (reauth) [id=1 id_str=]

> > It fails and give debug output as give below
> >
> > 1345275655.290046: RX ctrl_iface - hexdump_ascii(len=38):
> > 49 4e 54 45 52 57 4f 52 4b 49 4e 47 5f 43 4f 4e INTERWORKING_CON
> > 4e 45 43 54 20 30 32 3a 32 37 3a 32 32 3a 65 35 NECT 02:27:22:e5
> > 3a 61 30 3a 32 62 :a0:2b
> > 1345275655.290149: Interworking: Could not parse NAI Realm list
> > from 02:27:22:e5:a0:2b
> > 1345275655.290163: Interworking: No matching credentials and EAP
> > method found for 02:27:22:e5:a0:2b

> Since the roaming consortium OI did not match (due to
> misconfiguration),
> wpa_supplicant tried to use NAI Realm list and that did not exist in
> this case. As such, this was expected behavior.

> --
> Jouni Malinen PGP id EFC895FA

> ------------------------------

> Message: 4
> Date: Sun, 19 Aug 2012 14:35:50 +0300
> From: Jouni Malinen <j at w1.fi>
> Subject: Re: [PATCH] use User-Name and Chargeable-User-Identity f?r
> Access-Accept for Accounting Messages even if 802.1X is not used
> To: hostap at lists.shmoo.com
> Message-ID: <20120819113550.GA13813 at w1.fi>
> Content-Type: text/plain; charset=us-ascii

> On Thu, Aug 16, 2012 at 12:30:30PM +0200, michael-dev wrote:
> > thanks for reviewing. Please find attached a patch that addresses
> > your comments.

> Thanks, applied with some cleanup.

> --
> Jouni Malinen PGP id EFC895FA





More information about the HostAP mailing list