<div>Yes. I am using juniper SBR(version 5.4) as our external aaa radius server.</div> <div>But It failed when I use eap-fast type. It can work well when I use eap-peap/eap-tls/eap-ttls. All use same username/password and same certificates.</div> <div> </div> <div> </div> <div>error information in <STRONG><EM>authreports/rejects_20071128.csv</EM></STRONG></div> <div>"Date","Time","RADIUS-Client","User-Name","Reject-Method","Reject-Reason","Reject-Log","NAS-IP-Address"<BR>"2007-11-28","17:55:55","10.155.20.84","twang","EAP-FAST","<EM><STRONG>User name or credential incorrect"</STRONG></EM>,"Inner EAP-FAST authentication failed","10.155.20.84"<BR>"2007-11-28","18:06:43","10.155.20.84","twang","EAP-FAST","User name or credential incorrect","Inner EAP-FAST authentication failed","10.155.20.84"<BR>"2007-11-28","18:09:39","10.155.20.84","twang","EAP-FAST","User name or credential incorrect","Inner EAP-FAST authentication failed","10.155.20.84"<BR></div> <div>It
seems username or password incorrect, but same user can authenticate success when I use other eap types.</div> <div> </div> <div> </div> <div><EM><STRONG>log in 20071128.log.</STRONG></EM></div> <div>11/28/2007 17:25:34 Session-Timeout : Integer Value = 120<BR>11/28/2007 17:25:34 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Looking up shared secret<BR>11/28/2007 17:25:46 Parsing request<BR>11/28/2007 17:25:46 NAS-IP-Address in request: 10.155.20.84<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Authentication Request<BR>11/28/2007 17:25:46 Received From: ip=10.155.20.84 port=1032<BR>11/28/2007 17:25:46 Packet : Code = 0x1 ID = 0x0<BR>11/28/2007 17:25:46 Client Name = 10.155.20.84 Dictionary Name = Radius.dct<BR>11/28/2007 17:25:46 Vector =<BR>11/28/2007 17:25:46 000: 41dd8053 f456d0d9 9a7c112b 95fadf79 |A..S.V...|.+...y|<BR>11/28/2007 17:25:46 Parsed Packet
=<BR>11/28/2007 17:25:46 User-Name : String Value = twang<BR>11/28/2007 17:25:46 NAS-IP-Address : IPAddress = 10.155.20.84<BR>11/28/2007 17:25:46 NAS-Identifier : String Value = hhe.aerohive.com<BR>11/28/2007 17:25:46 NAS-Port : Integer Value = 0<BR>11/28/2007 17:25:46 Called-Station-Id : String Value = 00-19-77-00-00-34:hhe<BR>11/28/2007 17:25:46 Calling-Station-Id : String Value = 00-19-E0-80-A5-5A<BR>11/28/2007 17:25:46 Framed-MTU : Integer Value = 1500<BR>11/28/2007 17:25:46 NAS-Port-Type : Integer Value = 19<BR>11/28/2007 17:25:46 Connect-Info : String Value = CONNECT 11Mbps 802.11b<BR>11/28/2007 17:25:46 EAP-Message : Value =<BR>11/28/2007 17:25:46 000: 02030041 2b011703 01003626 968ee844 |...A+.....6&...D|<BR>11/28/2007 17:25:46 010: 439e8114 de37e588 006d559d b813ab5c |C....7...mU....\|<BR>11/28/2007 17:25:46 020: 12581e66 46697350 3263a88e b5abc694 |.X.fFisP2c......|<BR>11/28/2007 17:25:46 030: 54f84858 ddaf40b3 3b2b22bc fb6bd8ab <A
href='mailto:|T.HX..@.;+"..k'>|T.HX..@.;+"..k</A>..|<BR>11/28/2007 17:25:46 040: 69 |i |<BR>11/28/2007 17:25:46 State : String Value = SBR-CH 5|4<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Tunneled Authentication Request<BR>11/28/2007 17:25:46 Packet : Code = 0x1 ID = 0x0<BR>11/28/2007 17:25:46 Client Name = LocalServer Dictionary Name = Radius.dct<BR>11/28/2007 17:25:46 Vector =<BR>11/28/2007 17:25:46 000: e2c1065a e9d0ebc0 8fcdfbd2 cf24d4a9 |...Z.........$..|<BR>11/28/2007 17:25:46 Parsed Packet =<BR>11/28/2007 17:25:46 User-Password : String Value =
<suppressed><BR>11/28/2007 17:25:46 User-Name : String Value = twang<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Determining if this radius should act as a proxy<BR><EM><STRONG>11/28/2007 17:25:46 WINAUTH: NTSTATUS = C000006D / Win Error = 1326.<BR>11/28/2007 17:25:46 WINAUTH: -> Logon failure: unknown user name or bad password.</STRONG></EM></div> <div><EM><STRONG>11/28/2007 17:25:46 WINAUTH: LsaLogon returned 52e.</STRONG></EM><BR>11/28/2007 17:25:46 Unable to find user twang with matching password<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Tunneled Authentication Response (reject)<BR>11/28/2007 17:25:46 Packet : Code = 0x3 ID = 0x0<BR>11/28/2007 17:25:46 Vector =<BR>11/28/2007 17:25:46 000: 8872c971 f70e4554 6c467fb9 df077b85 |.r.q..ETlF....{.|<BR>11/28/2007 17:25:46
-----------------------------------------------------------<BR>11/28/2007 17:25:46 Sent challenge response for user twang to client 10.155.20.84<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:46 Authentication Response<BR>11/28/2007 17:25:46 Packet : Code = 0xb ID = 0x0<BR>11/28/2007 17:25:46 Vector =<BR>11/28/2007 17:25:46 000: d2d9af0c d496da3e a168fa05 9df82db6 |.......>.h....-.|<BR>11/28/2007 17:25:46 State : String Value = SBR-CH 5|5<BR>11/28/2007 17:25:46 EAP-Message : Value =<BR>11/28/2007 17:25:46 000: 01040025 2b011703 01001ab7 ef9e2796 |...%+.........'.|<BR>11/28/2007 17:25:46 010: b77eb771 1dbc648d 2c55342c 585183a6 |.~.q..d.,U4,XQ..|<BR>11/28/2007 17:25:46 020: 4868023e 1a |Hh.>. |<BR>11/28/2007
17:25:46 Session-Timeout : Integer Value = 108<BR>11/28/2007 17:25:46 -----------------------------------------------------------<BR>11/28/2007 17:25:47 Looking up shared secret<BR>11/28/2007 17:25:47 Parsing request<BR>11/28/2007 17:25:47 NAS-IP-Address in request: 10.155.20.84<BR>11/28/2007 17:25:47 -----------------------------------------------------------<BR>11/28/2007 17:25:47 Authentication Request<BR>11/28/2007 17:25:47 Received From: ip=10.155.20.84 port=1032<BR>11/28/2007 17:25:47 Packet : Code = 0x1 ID = 0x1<BR>11/28/2007 17:25:47 Client Name = 10.155.20.84 Dictionary Name = Radius.dct<BR>11/28/2007 17:25:47 Vector =<BR>11/28/2007 17:25:47 000: a6419d6f 5cd4e3ec f8bae3d9 bf0aa611 |.A.o\...........|<BR>11/28/2007 17:25:47 Parsed Packet =<BR>11/28/2007 17:25:47 User-Name : String Value = twang<BR>11/28/2007 17:25:47 NAS-IP-Address : IPAddress = 10.155.20.84<BR>11/28/2007 17:25:47 NAS-Identifier : String Value = hhe.aerohive.com<BR>11/28/2007 17:25:47 NAS-Port :
Integer Value = 0<BR>11/28/2007 17:25:47 Called-Station-Id : String Value = 00-19-77-00-00-34:hhe<BR>11/28/2007 17:25:47 Calling-Station-Id : String Value = 00-19-E0-80-A5-5A<BR>11/28/2007 17:25:47 Framed-MTU : Integer Value = 1500<BR>11/28/2007 17:25:47 NAS-Port-Type : Integer Value = 19<BR>11/28/2007 17:25:47 Connect-Info : String Value = CONNECT 11Mbps 802.11b<BR>11/28/2007 17:25:47 EAP-Message : Value =<BR>11/28/2007 17:25:47 000: 02040025 2b011703 01001a04 77422c23 |...%+.......wB,#|<BR>11/28/2007 17:25:47 010: 276b1bff 746a0866 d727be13 93dc8599 |'k..tj.f.'......|<BR>11/28/2007 17:25:47 020: 7a5a79b7 e5 |zZy.. |<BR>11/28/2007 17:25:47 State : String Value = SBR-CH 5|5<BR>11/28/2007 17:25:47 -----------------------------------------------------------<BR>11/28/2007
17:25:47 EAP-FAST: Inner authentication failed<BR>11/28/2007 17:25:47 User twang ultimately failed challenge sequence<BR>11/28/2007 17:25:47 -----------------------------------------------------------<BR>11/28/2007 17:25:47 Authentication Response (reject)<BR>11/28/2007 17:25:47 Packet : Code = 0x3 ID = 0x1<BR>11/28/2007 17:25:47 Vector =<BR>11/28/2007 17:25:47 000: 7713879e 10b9af77 c55dcaed 901b3b98 |w......w.]....;.|<BR>11/28/2007 17:25:47 EAP-Message : Value =<BR>11/28/2007 17:25:47 000: 04040004 |.... |<BR>11/28/2007 17:25:47 -----------------------------------------------------------<BR>11/28/2007 17:25:47 Sent reject response</div> <div><BR><BR><B><I>Jouni Malinen <j@w1.fi></I></B> дµÀ£º</div> <BLOCKQUOTE class=replbq
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">On Wed, Nov 28, 2007 at 09:52:40AM +0800, Hangjun He wrote:<BR>> By the way, we are using external aaa radius server which can support eap-fast. <BR><BR>In that case, yes, you should be able to use this with hostapd 0.3.7.<BR>The used EAP type is transparent to the authenticator.<BR><BR>EAP-FAST server support was added in 0.6.1, but that is only needed if<BR>one were to use hostapd as the authentication server.<BR><BR>-- <BR>Jouni Malinen PGP id EFC895FA<BR>_______________________________________________<BR>HostAP mailing list<BR>HostAP@shmoo.com<BR>http://lists.shmoo.com/mailman/listinfo/hostap<BR></BLOCKQUOTE><BR><p> 
<hr size=1><a href="https://member.cn.yahoo.com/cnreg/reginfo.html?id=89034" target=blank>ÑÅ»¢ÓÊÏ䣬ÖÕÉú»ï°é£¡</a>