EAP-FAST: authenticated provisioning failure on Cisco ACS 5.4

Nakashima Akihiro Nakashima.Akihiro at exc.epson.co.jp
Wed Apr 29 21:09:22 EDT 2015


Thank you for your reply.

> What is this specific order of TLVs based on? I did not find anything 
> in RFC 4851 describing a requirement of Intermediate-Result TLV being 
> before Crypto-Binding TLV in the message. Taken into account how those 
> TLVs are calculated, there is no difference in their payload 
> regardless of in which order they happen to be included.

  (4.2.7. Intermediate-Result TLV)
   An Intermediate-Result TLV indicating success
   MUST be accompanied by a Crypto-Binding TLV

  (4.2.8. Crypto-Binding TLV)
   The Crypto-Binding TLV MUST be included with the Intermediate-Result
   TLV to perform Cryptographic Binding after each successful EAP method
   in a sequence of EAP methods.

It seems that these sentences imply the order of Intermediate-Result TLV to Crypto-Binding TLV for me.
But as I am not Cisco engineer, we have no idea what Cisco implement ACS and why this error message shown.

Anyway I prepared the full debug log files that both of with/without your workaround patch.
The patch worked fine for ACS 5.4 both of anonymous/authenticated provisioning.
Thank you for kindly provide patches.

http://pastebin.com/tNjuj9YT
  -> without workaround patch, anonymous provisioning (Success)
http://pastebin.com/rHq8Ga0s
  -> without workaround patch, authenticated provisioning (Failure) 

http://pastebin.com/VmeKkkL2
  -> with workaround patch, anonymous provisioning (Success)
http://pastebin.com/ffmqqF5h
  -> with workaround patch, authenticated provisioning (Success)

If you have any request for me, please feel free to ask.

Thank you.

--
Best Regards,
Akihiro Nakashima


More information about the HostAP mailing list