EAP-FAST error with Cisco ACS 5.2 and wpa_supplicant 0.6.9, not seen with Cisco ACS 4.1

Jouni Malinen j at w1.fi
Sun Nov 11 09:37:55 EST 2012


On Thu, Nov 08, 2012 at 03:59:42PM +0000, Gulick Tom-WPD384 wrote:
> We see an error during the PAC provisioning phase of an EAP-FAST connection with Cisco ACS 5.2 that we don't see with Cisco ACS 4.1.

I don't have Cisco ACS 5.2, so I cannot easily verify this behavior
myself. Anyway, the log seems to indicate authentication failure (e.g.,
incorrect password in MSCHAPv2):

> With ACS 5.2, we get this in the supplicant log:

> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Received Phase 2: TLV type 9 length 57 (mandatory)
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-FAST: Phase 2 Request: type=26
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: RX identifier 246 mschapv2_id 245
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: Received failure
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: error 691
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: retry is allowed
> 2012-11-07 09:47:59 [ APCT][Dbg1] EAP-MSCHAPV2: password changing protocol version 3
> 2012-11-07 09:47:59 [ APCT][Warn] EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)

That error 691 is allocated for indicating authentication failures.
Assuming you have verified that the username/password is valid, this
could be caused by some other failures during the authentication step.
Could you please send full wpa_supplicant debug log showing the EAP-FAST
authentication attempt from the beginning to this point? Do you have
access to the ACS server? If so, it would be good to take a look at its
logs to determine the reason for rejecting MSCHAPv2 authentication.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list