<HTML dir=ltr><HEAD><TITLE>Re: Problem in porting to PALM</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText45787 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Hi,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>I turned on more debug msg out from the CISCO server.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>**************************************************************************<BR>*Mar 8 06:02:30.107: RADSRV EAP-FAST: Add teap client 0011.d605.2cdc<BR>*Mar 8 06:02:30.107: RADSRV EAP-FAST: Sending TEAP start<BR>*Mar 8 06:02:30.253: RADSRV EAP-FAST: verify client_hello<BR>*Mar 8 06:02:30.253: RADSRV EAP-FAST: PAC to be provisioned, parsed 49, length<BR>49</DIV>
<DIV dir=ltr>*Mar 8 06:02:30.253: RADSRV EAP-FAST: Build (provision) Server Hello, 0011.d605<BR>.2cdc<BR>*Mar 8 06:02:30.254: RADSRV EAP-FAST: Calculting DH Server public.. 0011.d605.2<BR>cdc<BR>*Mar 8 06:02:30.466: RADSRV EAP-FAST: DH public number generation failed<BR>*Mar 8 06:02:30.466: RADSRV EAP-FAST: Sending Server Hello, 0011.d605.2cdc<BR>*Mar 8 06:02:41.137: RADSRV EAP-FAST: verify client_finished, 0011.d605.2cdc<BR>*Mar 8 06:02:41.137: RADSRV EAP-FAST: Calculting premaster secret..<BR>*Mar 8 06:02:41.405: RADSRV EAP-FAST: Calculating Master secret...<BR>*Mar 8 06:02:41.408: RADSRV EAP-FAST: tunnel Decrypt pak (size 48):<BR>*Mar 8 06:02:41.408: Data out<BR>00DAA450: 59C9D621 YIV!<BR>00DAA460: CCF5E055 050EB6CB B37CF708 D97A0DB5 Lu`U..6K3|w.Yz.5<BR>00DAA470: C6D7FF1C 65B2A7FB 6A8D2F7A CEC3BB13 FW..e2'{j./zNC;.<BR>00DAA480: 16D843E6 46E37722 E3B7C3EF .XCfFcw"c7Co<BR>*Mar 8 06:02:41.409: RADSRV EAP-FAST: <FONT color=#ff0000>invalid tunnel MIC<BR></FONT>*Mar 8 06:02:41.409: RADSRV EAP-FAST: sending alert level 2, desc 0<BR>*Mar 8 06:02:56.409: RADSRV EAP-FAST: Timer expired, teap client 0011.d605.2cd<BR>c<BR>*Mar 8 06:02:56.409: RADSRV EAP-FAST: Delete teap client 0011.d605.2cdc</DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr>**************************************************************************</DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I found that after the server finish calculating master secret, it found invalid tunnel MIC. And then it send alert signal back to client.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Does anyone know what is this mean?</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Jack</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> hostap-bounces@lists.shmoo.com on behalf of Jack Yip<BR><B>Sent:</B> Tue 3/25/2008 4:15 AM<BR><B>To:</B> hostap@shmoo.com<BR><B>Subject:</B> RE: Problem in porting to PALM<BR></FONT><BR></DIV>
<DIV dir=ltr>
<DIV id=idOWAReplyText78646 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Hi</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>This is the information of the AP:</FONT></DIV>
<DIV dir=ltr>System Software Version: Cisco IOS Software <BR> Product/Model Number: AIR-AP1242AG-A-K9 <BR> Top Assembly Serial Number: FTX1136B1XA <BR> System Software Filename: c1240-k9w7-tar.124-3g.JA1 <BR> System Software Version: 12.4(3g)JA1 <BR> Bootloader Version: 12.3(7)JA1 <BR> </DIV></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>I have changed the code in the function "tlsv1_client_set_cipher_list"</DIV>
<DIV dir=ltr>**********************************************************************************</DIV>
<DIV dir=ltr>int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers)<BR>{<BR>#ifdef EAP_FAST<BR> size_t count;<BR> u16 *suites;</DIV>
<DIV dir=ltr> /* TODO: implement proper configuration of cipher suites */<BR> if (ciphers[0] == TLS_CIPHER_ANON_DH_AES128_SHA) {<BR> count = 0;<BR> suites = conn->cipher_suites;<BR>/* suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;<BR> suites[count++] = TLS_DH_anon_WITH_DES_CBC_SHA;<BR> */<BR> //JACK<BR> suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;<BR> suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;<BR> suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;<BR> <BR> <BR> <BR> conn->num_cipher_suites = count;<BR> }</DIV>
<DIV dir=ltr> return 0;<BR>#else /* EAP_FAST */<BR> return -1;<BR>#endif /* EAP_FAST */<BR>}<BR>**********************************************************************************</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>And then the debug msg no longer have the line "<FONT size=2>Cipher RC4_128_SHA / TLS_DH_anon_WITH_AES_128_CBC_SHA1 not found, client may be open source".But Still I have the following msg which makes me have failed authentication.</FONT></DIV>
<DIV dir=ltr><FONT size=2></FONT> </DIV>
<DIV dir=ltr><FONT size=2></FONT> </DIV>
<DIV dir=ltr><FONT size=2></FONT> </DIV>
<DIV dir=ltr>*Mar 8 04:47:12.990: RADSRV EAP-FAST: Add teap client 0011.d605.2cdc<BR>*Mar 8 04:47:12.990: RADSRV EAP-FAST: Sending TEAP start<BR>*Mar 8 04:47:13.134: RADSRV EAP-FAST: verify client_hello<BR>*Mar 8 04:47:13.134: RADSRV EAP-FAST: PAC to be provisioned, parsed 49, length<BR>49</DIV>
<DIV dir=ltr>*Mar 8 04:47:13.134: RADSRV EAP-FAST: Build (provision) Server Hello, 0011.d605<BR>.2cdc<BR>*Mar 8 04:47:13.135: RADSRV EAP-FAST: Calculting DH Server public.. 0011.d605.2<BR>cdc<BR>*Mar 8 04:47:13.347: RADSRV EAP-FAST: DH public number generation failed<BR>*Mar 8 04:47:13.347: RADSRV EAP-FAST: Sending Server Hello, 0011.d605.2cdc<BR>*Mar 8 04:47:24.017: RADSRV EAP-FAST: verify client_finished, 0011.d605.2cdc<BR>*Mar 8 04:47:24.017: RADSRV EAP-FAST: Calculting premaster secret..<BR>*Mar 8 04:47:24.282: RADSRV EAP-FAST: Calculating Master secret...<BR>*Mar 8 04:47:24.285: RADSRV EAP-FAST: sending alert level 2, desc 0<BR>*Mar 8 04:47:24.395: RADSRV EAP-FAST:<BR> Alert from 0011.d605.2cdc: Fatal : code 10<BR>*Mar 8 04:47:24.395: RADSRV EAP-FAST: Delete teap client 0011.d605.2cdc<BR>*Mar 8 04:47:24.396: %DOT11-7-AUTH_FAILED: Station 0011.d605.2cdc Authenticatio<BR>n failed<BR></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Do you have any idea of this?</DIV>
<DIV dir=ltr>Why after calculating master secert, the server will send back alert level?</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Please advise!!!</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>By the way,I am trying to see the difference of <FONT size=2>wpa_supplicant-0.5.9.tar.gz and wpa_supplicant-0.5.10.tar.gz </FONT></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>JACK</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> hostap-bounces@lists.shmoo.com on behalf of Jouni Malinen<BR><B>Sent:</B> Tue 3/25/2008 1:32 AM<BR><B>To:</B> hostap@shmoo.com<BR><B>Subject:</B> Re: Problem in porting to PALM<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>On Tue, Mar 25, 2008 at 12:13:21AM +0800, Jack Yip wrote:<BR><BR>> I have captured the debug msg with binary packet printed out from the CISCO server.<BR><BR>> *Mar 8 00:24:06.587: RADSRV EAP-FAST: Add teap client 0011.d605.2cdc<BR>> *Mar 8 00:24:06.587: RADSRV EAP-FAST: EAP-FAST pak rx:<BR>> 01814770: 02 02000E01 616E6F6E 796D6F75 .....anonymou<BR>> 01814780: 73 s <BR>> *Mar 8 00:24:06.587: RADSRV EAP-FAST: EAP-FAST pak tx:<BR>> 01851070: 0103 001A2B21 ....+!<BR>> 01851080: 00040010 4C4F4341 4C205241 44495553 ....LOCAL RADIUS<BR>> 01851090: 20534552 SER <BR><BR>Oh.. This is not ACS, but an internal EAP-FAST server in a Cisco AP..<BR>Which version of the AP software (IOS) are you using?<BR><BR>> *Mar 8 00:24:06.588: RADSRV EAP-FAST: Sending TEAP start<BR>> *Mar 8 00:24:06.731: RADSRV EAP-FAST: EAP-FAST pak rx:<BR>> 01819650: 02 0300402B ...@+<BR>> 01819660: 01160301 00350100 00310301 45986005 .....5...1..E.`.<BR>> 01819670: BDA2B8BA 4D2702EA 306B7F69 80119AE7 ="8:M'.j0k.i...g<BR>> 01819680: BD3B975E 41E59F87 E7830B97 00000A00 =;.^Ae..g.......<BR>> 01819690: 3A003400 1B001800 1A0100 :.4........ <BR><BR>Which TLS library (and which version of it) are you using in the client?<BR><BR>The ClientHello seems to advertise support for following ciphers:<BR>TLS_DH_anon_WITH_AES_256_CBC_SHA<BR>TLS_DH_anon_WITH_AES_128_CBC_SHA<BR>TLS_DH_anon_WITH_3DES_EDE_CBC_SHA<BR>TLS_DH_anon_WITH_RC4_128_MD5<BR>TLS_DH_anon_WITH_DES_CBC_SHA<BR><BR><BR>> *Mar 8 00:24:06.732: RADSRV EAP-FAST: verify client_hello<BR>> *Mar 8 00:24:06.732: RADSRV EAP-FAST: Cipher RC4_128_SHA / TLS_DH_anon_WITH_AES<BR>> _128_CBC_SHA1 not found, client may be open source<BR><BR>This looks bit odd.. RC4_128_SHA is not there (which is as expected,<BR>since this is likely for anonymous provisioning), but<BR>TLS_DH_anon_WITH_AES_128_CBC_SHA1 is in the list.. This looks like a bug<BR>in the authentication server. I've seen the issue before, but I've never<BR>seen this level of debug output from the server.. Which debug options<BR>did not enable to get this?<BR><BR>If I remember correctly, the server gets confused because of one of the<BR>ciphers and refuses to do provisioning because of this. Workaround would<BR>be to remove most of those ciphers from ClientHello and just try to use<BR>TLS_DH_anon_WITH_AES_128_CBC_SHA which is known to not confuse the local<BR>authentication server..<BR><BR>I don't know whether this has been fixed in a newer IOS version, but it<BR>might be worthwhile to test upgrading if a newer firmware version is<BR>available.<BR><BR>> By the way, I should be using the wpa_supplicant-0.5.9.tar.gz for porting(not wpa_supplicant-0.5.10.tar.gz ), does it work with EAP-FAST?<BR><BR>Why should you use 0.5.9 instead of 0.5.10? I do not remember whether<BR>there were any changes that could affect EAP-FAST behavior between those<BR>versions, but in general, I would recommend using the latest available<BR>stable version due to bug fixes included in it.<BR><BR>--<BR>Jouni Malinen PGP id EFC895FA<BR>_______________________________________________<BR>HostAP mailing list<BR>HostAP@lists.shmoo.com<BR><A href="http://lists.shmoo.com/mailman/listinfo/hostap">http://lists.shmoo.com/mailman/listinfo/hostap</A><BR></FONT></P></DIV></DIV></BODY></HTML>