EAP-FAST: authenticated provisioning failure on Cisco ACS 5.4
Nakashima.Akihiro at exc.epson.co.jp
Wed Apr 29 21:09:22 EDT 2015
Thank you for your reply.
> What is this specific order of TLVs based on? I did not find anything
> in RFC 4851 describing a requirement of Intermediate-Result TLV being
> before Crypto-Binding TLV in the message. Taken into account how those
> TLVs are calculated, there is no difference in their payload
> regardless of in which order they happen to be included.
(4.2.7. Intermediate-Result TLV)
An Intermediate-Result TLV indicating success
MUST be accompanied by a Crypto-Binding TLV
(4.2.8. Crypto-Binding TLV)
The Crypto-Binding TLV MUST be included with the Intermediate-Result
TLV to perform Cryptographic Binding after each successful EAP method
in a sequence of EAP methods.
It seems that these sentences imply the order of Intermediate-Result TLV to Crypto-Binding TLV for me.
But as I am not Cisco engineer, we have no idea what Cisco implement ACS and why this error message shown.
Anyway I prepared the full debug log files that both of with/without your workaround patch.
The patch worked fine for ACS 5.4 both of anonymous/authenticated provisioning.
Thank you for kindly provide patches.
-> without workaround patch, anonymous provisioning (Success)
-> without workaround patch, authenticated provisioning (Failure)
-> with workaround patch, anonymous provisioning (Success)
-> with workaround patch, authenticated provisioning (Success)
If you have any request for me, please feel free to ask.
More information about the HostAP