I'm using eapol_test (radius client) against hostapd (radius server) to test EAP-FAST authentication. <br><br>With "fast_provisioning=1", I'm able to generate the PAC. Using the PAC I'm trying to get TLS phase done, but since opaque is invalid, server proposes the certificate based authentication. <br>
<br>Client sends TLS alert "unexpected message" in response to server hello. The Log looks like as follows-<br><br><---------------START---------------------><br>RADIUS packet matching with station<br>decapsulated EAP packet (code=1 id=2 len=1403) from RADIUS server: EAP-Request-FAST (43)<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request id=2 method=43 vendor=0 vendorMethod=0<br>EAP: EAP entering state METHOD<br>
SSL: Received packet(len=1403) - Flags 0xc1<br>SSL: TLS Message Length: 1791<br>SSL: Need 398 bytes more input data<br>SSL: Building ACK (type=43 id=2 ver=1)<br>EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL<br>
EAP: EAP entering state SEND_RESPONSE<br>EAP: EAP entering state IDLE<br>EAPOL: SUPP_BE entering state RESPONSE<br>EAPOL: txSuppRsp<br>WPA: eapol_test_eapol_send(type=0 len=6)<br>TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 2b 01<br>
Encapsulating EAP message into a RADIUS packet<br> Copied RADIUS State Attribute<br>Sending RADIUS message to authentication server<br>RADIUS message: code=1 (Access-Request) identifier=2 length=119<br> Attribute 1 (User-Name) length=6<br>
Value: 'user'<br> Attribute 4 (NAS-IP-Address) length=6<br> Value: <a href="http://127.0.0.1">127.0.0.1</a><br> Attribute 31 (Calling-Station-Id) length=19<br> Value: '02-00-00-00-00-01'<br>
Attribute 12 (Framed-MTU) length=6<br> Value: 1400<br> Attribute 61 (NAS-Port-Type) length=6<br> Value: 19<br> Attribute 77 (Connect-Info) length=24<br> Value: 'CONNECT 11Mbps 802.11b'<br> Attribute 79 (EAP-Message) length=8<br>
Value: 02 02 00 06 2b 01<br> Attribute 24 (State) length=6<br> Value: 00 00 00 00<br> Attribute 80 (Message-Authenticator) length=18<br> Value: b5 12 8c f7 f5 9f a1 35 dd a6 96 d4 89 bc 91 5d<br>Next RADIUS client retransmit in 3 seconds<br>
<br>EAPOL: SUPP_BE entering state RECEIVE<br>Received 452 bytes from RADIUS server<br>Received RADIUS message<br>RADIUS message: code=11 (Access-Challenge) identifier=2 length=452<br> Attribute 24 (State) length=6<br> Value: 00 00 00 00<br>
Attribute 79 (EAP-Message) length=255<br> Value: 01 03 01 94 2b 01 51 63 9c 55 c8 64 bc 71 e8 8d 9c 4c 25 eb 03 79 d8 56 9f 07 81 b3 fd 64 db 68 7f 67 74 2e db 57 38 50 42 a8 51 64 64 88<br> c8 36 7f eb 17 65 12 24 a6 52 ca ec ea 63 ce 52 be ae 74 33 fd ae 05 77 82 cd 16 a0 0f bf 8c d0 8d 5e ef 5a c0 00 dd 09 1e 71 5d 2c d4 8a 73 d8 46 3a<br>
b0 20 18 22 ba 30 cd 88 e2 55 a3 32 f3 e9 0c 95 08 4c eb f9 0a dd e9 5a 05 5b 7f 17 77 0a 05 cd 41 3f 6f 53 00 01 02 00 80 bb 62 dc b8 20 64 bb ff 47<br> b1 f3 12 cc 2d 69 4b ea 7d 3d 8c 57 eb b0 ba d9 cc e5 05 d2 24 ed eb 0d 12 8d 6e e1 76 9b e0 cb ea d3 64 c0 43 b3 c4 ac 57 a9 0d 32 fa 26 b6 28 8f 88<br>
d3 62 7e 73 79 c1 09 53 03 9a ba 5d 87 48 42 b2 34 b3 68 ce 85 b5 48 1e c5 ec 43 83 96 42 3f 93 c3 ae a2 4d 1a 65 62 f9 ca 9c 74 4a 9c 34 a9 31 4d 1d<br> 4b 9a 74 1f ca 5f 44<br> Attribute 79 (EAP-Message) length=153<br>
Value: 66 d9 81 aa b8 13 ce 95 22 13 89 9b 00 80 5a 07 cf 23 64 24 0b 23 10 0d 2f 03 2f 94 12 7f 9a 14 22 ca 51 aa 55 74 0c 49 06 a1 58 b8 cd 47<br> 5d 53 91 c3 f5 c5 fc da a4 5b 17 23 8f 4f c5 83 7e 85 a7 b3 5a 91 6a a8 8a 85 97 87 2b 22 df 83 7e ee 68 0b bf 30 97 de a6 d4 28 31 d5 60 7c 5c 8a 0b<br>
52 df 90 71 a0 22 a3 31 1d a5 51 1e a1 99 e9 82 28 48 f1 cc a4 1d dc 3d 0c 4f 21 39 9b 30 b3 a3 b8 ff fc 45 fe 34 93 0c e0 88 34 a7 25 30 16 03 01 00<br> 04 0e 00 00 00<br> Attribute 80 (Message-Authenticator) length=18<br>
Value: 84 99 6c 5a 96 74 1a 1d dd 10 1b 51 db 8a 0b e1<br>STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.02 sec<br><br>RADIUS packet matching with station<br>decapsulated EAP packet (code=1 id=3 len=404) from RADIUS server: EAP-Request-FAST (43)<br>
EAPOL: Received EAP-Packet frame<br>EAPOL: SUPP_BE entering state REQUEST<br>EAPOL: getSuppRsp<br>EAP: EAP entering state RECEIVED<br>EAP: Received EAP-Request id=3 method=43 vendor=0 vendorMethod=0<br>EAP: EAP entering state METHOD<br>
SSL: Received packet(len=404) - Flags 0x01<br>EAP-FAST: SessionTicket callback<br>EAP-FAST: SessionTicket - hexdump(len=0): [NULL]<br>EAP-FAST: client_random - hexdump(len=32): 49 10 40 5c 14 39 c4 0b 71 21 05 3a 13 1e 8b c1 33 a1 b6 f4 1c e2 ab 09 d5 3f c3 17 16 a5 3f 78<br>
EAP-FAST: server_random - hexdump(len=32): 49 10 8d 4b cc 7d 9c ae f5 a5 f2 d9 e8 c5 6f 56 76 c2 68 32 9d c7 b0 6c 5f eb 64 da 23 41 be 57<br>EAP-FAST: master_secret - hexdump(len=48): 14 12 42 68 b8 cc 48 09 cd 92 eb 26 bd a7 b5 b1 5c a2 72 09 97 b6 1b fb fd 07 ea 80 fe ea 89 0c e6 ba 3a e0<br>
95 f8 ea 24 e5 d4 5b 9f 8e 78 d2 f1<br>SSL: (where=0x1001 ret=0x1)<br>SSL: SSL_connect:SSLv3 read server hello A<br>SSL: (where=0x4008 ret=0x20a)<br>SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unexpected_message<br>
SSL: (where=0x1002 ret=0xffffffff)<br>SSL: SSL_connect:error in SSLv3 read finished A<br>OpenSSL: tls_connection_handshake - SSL_connect error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message<br>SSL: 7 bytes pending from ssl_out<br>
SSL: Failed - tls_out available to report error<br><br><---------------END---------------------><br><br>Thanks<br>- Paresh<br><br><div class="gmail_quote">On Fri, Oct 31, 2008 at 7:10 PM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi">j@w1.fi</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">On Tue, Oct 21, 2008 at 12:36:13PM +0530, Paresh Sawant wrote:<br>
> I tried with 0.6.4 binary too instead of building it myself, but it too<br>
> failed.<br>
><br>
> I have attached here captured EAP messages by ethereal on windows (Please<br>
> open it using ethereal).<br>
<br>
</div>The ClientHello looks fine to me.. How have you configured hostapd for<br>
anonymous DH? I.e., what is set in dh_file parameter and how did you<br>
create the DH parameters file?<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="Wj3C7c">Jouni Malinen PGP id EFC895FA<br>
_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</div></div></blockquote></div><br>