EAP-TTLS authentication

Isaac Konikoff konikofi at candelatech.com
Tue Aug 4 17:00:14 EDT 2015 

Hi All,

I'm testing HS2.0 and EAP-TTLS with hostapd-radius but I get this failure:

1438714591.511626: sta4: SME: Trying to authenticate with 
00:0e:8e:c3:19:79 (SSID='ABCD-1234' freq=5765 MHz)
1438714591.519533: sta4: Trying to associate with 00:0e:8e:c3:19:79 
(SSID='ABCD-1234' freq=5765 MHz)
1438714591.522218: sta4: Associated with 00:0e:8e:c3:19:79
1438714591.523228: sta4: CTRL-EVENT-EAP-STARTED EAP authentication started
1438714591.525898: sta4: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE 
type=COUNTRY alpha2=US
1438714621.527055: sta4: CTRL-EVENT-EAP-STARTED EAP authentication started
1438714651.624031: sta4: CTRL-EVENT-DISCONNECTED bssid=00:0e:8e:c3:19:79 
reason=23
1438714651.624065: sta4: CTRL-EVENT-SSID-TEMP-DISABLED id=1 
ssid="ABCD-1234" auth_failures=1 duration=10 reason=AUTH_FAILED


Here are my config files for hostapd and wpa_supplicant...

Access Point:
interface=vap1
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=ABCD-1234
bssid=00:0e:8e:c3:19:79
country_code=US
ieee80211d=1
ieee80211h=0
ieee80211w=0
hw_mode=a
ieee80211n=1
beacon_int=240
dtim_period=2
max_num_sta=2007
rts_threshold=2347
fragm_threshold=2346
preamble=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
# Enable HT modes if you want 300Mbps+ throughput.
#ht_capab=[HT20][HT40-][HT40+][GF][SHORT-GI-20][SHORT-GI-40]
# 
[TX-STBC][RX-STBC123][MAX-AMSDU-7935][DSSS_CCK-40][PSMP][LSIG-TXOP-PROT]
ht_capab=[HT20][HT40+][SHORT-GI-40][SHORT-GI-20]
#vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP0][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]

wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
channel=149
supported_rates=10 20 55 110 60 90 120 180 240 360 480 540
ieee8021x=1
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1811
auth_server_shared_secret=lanforge
wpa=2
wpa_pairwise=CCMP
wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256

# 802.11u configuration
interworking=1
access_network_type=4
internet=1
asra=1
esr=1
uesa=1
venue_group=2
venue_type=1
hessid=00:00:00:00:00:33
venue_name=eng:LANforge Test Venue
network_auth_type=00
ipaddr_type_availability=04
domain_name=lanforge.com
anqp_3gpp_cell_net=123,20
nai_realm=0,lanforge.com,13:[5:6],18:[5:1][5:2],21:[2:4][5:7]

# HotSpot 2.0 configuration
hs20=1
hs20_oper_friendly_name=eng:LANforge HotSpot 2.0
hs20_wan_metrics=01:8000:1000:80:240:3000
hs20_operating_class=517C

# Error emulation settings.
ignore_probe_probability=0.000000
ignore_auth_probability=0.000000
ignore_assoc_probability=0.000000
ignore_reassoc_probability=0.000000
corrupt_gtk_rekey_mic_probability=0.000000

Hostapd-Radius:
interface=eth1
driver=wired
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
eapol_key_index_workaround=0
eap_server=1
eap_user_file=/etc/hostapd.eap_user
eap_sim_db=unix:/tmp/hlr_auc_gw.sock
radius_server_auth_port=1811
radius_server_clients=/etc/hostapd.radius_clients

ca_cert=/etc/raddb/certs/ca.pem
server_cert=/etc/raddb/certs/server.pem
private_key=/etc/raddb/certs/server.key
private_key_passwd=lanforge


/etc/hostapd.eap_user
"dot11r.user" PEAP
"dot11r.user" MSCHAPV2 "!!dot11r123" [2]

"lanforge.peap" PEAP
"lanforge.peap" MSCHAPV2 "!!lanforge123" [2]

"lanforge.tls" TLS

"lanforge.ttls" TTLS
"lanforge.ttls" MD5,TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 
"!!ttls123" [2]

"*@lanforge.com" TLS,TTLS
"0"*            AKA
"1"*		SIM
* TTLS-MSCHAPV2 "!!ttls123" [2]


Client:
ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1
concurrent_assoc_ok=1
accept_external_scan_results=1
scan_cur_freq=1
min_scan_gap=5
p2p_disabled=1

# 802.11u / Interworking configuration.
interworking=1
hessid=00:00:00:00:00:33
auto_interworking=1
access_network_type=0

# HotSpot 2.0 configuration
hs20=1
osu_dir=/home/lanforge/wifi/osu_sta4

bss_max_count=2000
network={
     interworking_defaults=1
     disable_ht=0
     disable_vht=0
     ieee80211w=0
     disable_ht40=0
     disable_sgi=0
     ht_mcs=""
     disable_max_amsdu=-1
     ampdu_factor=-1
     ampdu_density=-1

}

cred={
     username="lanforge.ttls"
     password="!!ttls123"
     realm="lanforge.com"
     domain="lanforge.com"
     eap=TTLS
     phase2="autheap=MSCHAPV2"

}

I've tried different combos of the hostapd.eap_user file without 
success, but this must be where the problem is. Other clients can 
authenticate with EAP-SIM, EAP-AKA and EAP-PEAP.

Thanks for any suggestions!
Isaac

More information about the HostAP mailing list