Hostapd didn't ACK fragmented EAP-TLS frame

Olivier Cochard-Labbé olivier at cochard.me
Wed Jan 21 05:51:52 EST 2015


Hi,

I'm using FreeBSD 11.0-CURRENT r277315 and meet a problem with my FreeBSD
Access Point on an EAP-TLS setup.
I've tested with hostapd 2.0 (included with FreeBSD) and hostapd 2.3 (from
the port) but I have the same problem:

During EAP-TLS authentication, the Authenticator (hostapd) correctly send
an EAP fragmented "Server Hello, Certificate, Certificate Request" message
to the supplicant.
The supplicant (MS Windows native client) correctly ACK each of theses
fragmented EAP packets with an empty EAP-TLS packet.

Once the supplicant re-assemble the full EAP Certificate request from the
Authenticator, it send a response (EAP fragmented too).
But hostapd never ACK this first fragmented packet received from the
supplicant
=> Then the authentication phase time out.

I've tried with 3 different wireless card:
- Atheros 9280 (ath driver)
- Atheros AR2425 (ath driver)
- Ralink RT2573 (rum driver)
And all these have the same problem (not a chipset or driver problem).

Here is a tcpdump text-export of an exchange (done on the hostapd):
- D-Link_58:79:3e is the AP (authenticator)
- GemtekTe_35:8c:70 is the wireless-client (supplicant)


No.     Time        Source                Destination           Protocol
Length Info
     21 21.497272   D-Link_58:79:3e       GemtekTe_35:8c:70     EAP
23     Request, Identity
     22 21.541316   GemtekTe_35:8c:70     D-Link_58:79:3e       EAPOL
19     Start
     23 21.542460   D-Link_58:79:3e       GemtekTe_35:8c:70     EAP
23     Request, Identity
     24 21.544299   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
60     Response, Identity
     25 21.547151   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
60     Response, Identity
     26 21.615532   D-Link_58:79:3e       GemtekTe_35:8c:70     EAP
24     Request, TLS EAP (EAP-TLS)
     27 21.622288   GemtekTe_35:8c:70     D-Link_58:79:3e       SSL
125    Client Hello
     28 21.691433   D-Link_58:79:3e       GemtekTe_35:8c:70     TLSv1
1314   Server Hello, Certificate, Certificate Request, Server Hello Done
     29 21.694861   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
24     Response, TLS EAP (EAP-TLS)
     30 23.594184   D-Link_58:79:3e       GemtekTe_35:8c:70     TLSv1
1314   Server Hello, Certificate, Certificate Request, Server Hello Done
     31 23.596294   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
24     Response, TLS EAP (EAP-TLS)
     32 23.664337   D-Link_58:79:3e       GemtekTe_35:8c:70     TLSv1
1314   Server Hello, Certificate, Certificate Request, Server Hello Done
     33 23.668877   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
24     Response, TLS EAP (EAP-TLS)
     34 23.732970   D-Link_58:79:3e       GemtekTe_35:8c:70     TLSv1
272    Server Hello, Certificate, Certificate Request, Server Hello Done
     35 23.743648   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
1510   Response, TLS EAP (EAP-TLS)


And here here the detail of this last frame 35:

No.     Time        Source                Destination           Protocol
Length Info
     35 23.743648   GemtekTe_35:8c:70     D-Link_58:79:3e       EAP
1510   Response, TLS EAP (EAP-TLS)

Frame 35: 1510 bytes on wire (12080 bits), 1510 bytes captured (12080 bits)
Ethernet II, Src: GemtekTe_35:8c:70 (20:10:7a:35:8c:70), Dst:
D-Link_58:79:3e (00:21:91:58:79:3e)
    Destination: D-Link_58:79:3e (00:21:91:58:79:3e)
    Source: GemtekTe_35:8c:70 (20:10:7a:35:8c:70)
    Type: 802.1X Authentication (0x888e)
802.1X Authentication
    Version: 802.1X-2001 (1)
    Type: EAP Packet (0)
    Length: 1492
    Extensible Authentication Protocol
        Code: Response (2)
        Id: 9
        Length: 1492
        Type: TLS EAP (EAP-TLS) (13)
        EAP-TLS Flags: 0xc0
            1... .... = Length Included: True
            .1.. .... = More Fragments: True
            ..0. .... = Start: False
        EAP-TLS Length: 3524


=> it's a fragmented EAP-TLS (Lenght: 3524, More Fragment set).
Then once this first fragment received, hostapd should ACK this fragment by
an empty EAP-TLS frame... but it didn't send it.

I've checked the eap_server/eap_server_tls common.c file and see lot's of
wpa_printf() regarding EAP-TLS and SSL that can help me to debug it. But I
didn't reach to enable this debug mode (event by starting hostapd with -dd).

How to display theses EAP-TLS/SSL debug messages ?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150121/94d3cea2/attachment-0001.htm>


More information about the HostAP mailing list