headers
Joby Thampan | 1 Aug 2008 10:46
Favicon

EAP-TLS Connection Problem

Hi all,

I am trying for an EAP-TLS connection with wpa_supplicant_0.3.8 as 
station, freeradius as Radius Server and an AP with hostapd 0.4.8.
but Iam not able to establish the connection.

I am attaching the debug logs I am getting at wpa_supplicant, it is 
restarting the process after I receive the last
EAPOL: Port Timers tick - authWhile=29 heldWhile=0 startWhen=27 idleWhile=59
.
.
.
.
.
EAPOL: Port Timers tick - authWhile=0 heldWhile=0 startWhen=27 idleWhile=59.

Can anyone explain me why?

This is my hostapd.conf

interface=eth0
bridge=br0
ssid=joby-wpa
ieee8021x=1
eap_server=0
wpa=1
wpa_pairwise=TKIP
wpa_key_mgmt=WPA-EAP
eap_reauth_period=300
wpa_group_rekey=300
(Continue reading)

Permalink | Reply | 6 comments |
headers
Bryan Chin | 1 Aug 2008 11:17
Picon
Favicon

RE: EAP-TLS Connection Problem

I never try the wpa_supplciant and hostapd of your version. Maybe you should download the latest version 0.6.3 for both of them
 
hostapd.conf 
 
interface=eth0 // change your interface, should be your wireless interface, not your wired interface
bridge=br0
 driver=madwifi
 ssid=joby-wpa
 ieee8021x=1
 eap_server=0
 wpa=1 
 wpa_pairwise=TKIP
 wpa_key_mgmt=WPA-EAP
 eap_reauth_period=300
 wpa_group_rekey=300
 wpa_gmk_rekey=300
own_ip_addr= <ip address of AP>
 aut_server_addr=192.168.0.228
auth_server_port=1812
auth_server_shared_secret=joby1234

wpa_supplicant.conf
 
eapol_version=2
ap_scan=1
fast_reauth=1
network={
ssid=joby-wpa
scan_ssid=0
proto=WPA
pairwise=TKIP CCMP //remove CCMP since you are using WPA
group= TKIP CCMP //remove CCMP
key_mgmt=WPA-EAP
eap=TLS
identity="Joby"
password="joby1234" //remove this line
ca_cert="/etc/cert/cacert.pem"
client_cert="/etc/cert/client_cert.pem"
private_key="/etc/cert/client_key.pem"
private_key_password="joby1234"
priority=10
 
Regards,
Bryan

Chat online and in real-time with friends and family! Windows Live Messenger 
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 5 comments |
headers
Joby Thampan | 1 Aug 2008 11:46
Favicon

Re: EAP-TLS Connection Problem

Thanks bryan for the fast answer.
The interface i am using for hostapd.conf is wireless itself., only some naming convention issue.

I checked with sniffer for EAP-TLS connection 

According to RFC for a successfull connection this is the handshake required.

Authenticating Peer     Authenticator
   -------------------     -------------
                           <- EAP-Request/
                           Identity
   EAP-Response/
   Identity (MyID) ->
                           <- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS Start)
   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS client_hello)->
                           <- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS server_hello,
                             TLS certificate,
                    [TLS server_key_exchange,]
                     TLS certificate_request,
                        TLS server_hello_done)
   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->
                           <- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS change_cipher_spec,
                            TLS finished)
   EAP-Response/
   EAP-Type=EAP-TLS ->
                           <- EAP-Success

My WPA supplicant is able to send upto 

EAP-Response/
   EAP-Type=EAP-TLS
   (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->

but in sniffer it is showing as More Fragments to follow. But I am not seeing any fragments following it and
the connection
stops over there. Authenticaton Peer is waiting to recieve the next packet.

Bryan Chin wrote:
> I never try the wpa_supplciant and hostapd of your version. Maybe you 
> should download the latest version 0.6.3 for both of them
>  
> hostapd.conf 
>  
> interface=eth0 *// change your interface, should be your wireless 
> interface, not your wired *interface
> bridge=br0
> * driver=madwifi*
>  ssid=joby-wpa
>  ieee8021x=1
>  eap_server=0
>  wpa=1 
>  wpa_pairwise=TKIP
>  wpa_key_mgmt=WPA-EAP
>  eap_reauth_period=300
>  wpa_group_rekey=300
>  wpa_gmk_rekey=300
> *own_ip_addr= <ip address of AP>*
>  aut_server_addr=192.168.0.228
> auth_server_port=1812
> auth_server_shared_secret=joby1234
>
> wpa_supplicant.conf
>  
> eapol_version=2
> ap_scan=1
> fast_reauth=1
> network={
> ssid=joby-wpa
> scan_ssid=0
> *proto=WPA
> *pairwise=TKIP CCMP *//remove CCMP since you are using WPA *
> group= TKIP CCMP *//remove CCMP
> *key_mgmt=WPA-EAP
> eap=TLS
> identity="Joby"
> password="joby1234" *//remove this line
> *ca_cert="/etc/cert/cacert.pem"
> client_cert="/etc/cert/client_cert.pem"
> private_key="/etc/cert/client_key.pem"
> private_key_password="joby1234"
> priority=10
>  
> Regards,
> Bryan
>
> ------------------------------------------------------------------------
> Chat online and in real-time with friends and family! Windows Live 
> Messenger <http://get.live.com/messenger/overview>
Permalink | Reply | 4 comments |
headers
Kiran Kulkarni | 1 Aug 2008 11:57
Picon

Operation

I havent understood the flow of the connection from the debug output.
I have understood that
1) scan by broadcasting SSID.
2) obtain the scan result
3) select a N/w based on the parameters

Then what operations are carried out and based on what...

Plz reply as soon as possible.
Permalink | Reply | 0 comments |
headers
Kiran Kulkarni | 1 Aug 2008 12:20
Picon

Power Management

Does wpa supplicant provide power saving mode, whether API is available 
or not.

Plz reply as soon as possible
Permalink | Reply | 1 comment |
headers
Johannes Berg | 1 Aug 2008 12:34
Favicon

Re: Power Management

On Fri, 2008-08-01 at 15:50 +0530, Kiran Kulkarni wrote:
> Does wpa supplicant provide power saving mode, whether API is available 
> or not.

wpa supplicant has nothing to do with power saving at all.

johannes

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 0 comments |
headers
Kiran Kulkarni | 1 Aug 2008 13:51
Picon

Re: Power Management

Johannes Berg wrote:
> oh and never ever again drop the list from CC
>   
Sorry for the mistake and thanks for the quick replies.
Permalink | Reply | 0 comments |
headers
Jouni Malinen | 1 Aug 2008 20:28
Picon

Re: EAP-TLS Connection Problem

On Fri, Aug 01, 2008 at 05:46:24PM +0800, Joby Thampan wrote:

> My WPA supplicant is able to send upto 
> 
> EAP-Response/
>    EAP-Type=EAP-TLS
>    (TLS certificate,
>     TLS client_key_exchange,
>     TLS certificate_verify,
>     TLS change_cipher_spec,
>     TLS finished) ->
> 
> 
> but in sniffer it is showing as More Fragments to follow. But I am not seeing any fragments following it and
the connection
> stops over there. Authenticaton Peer is waiting to recieve the next packet.

Please take a look at what the authentication server is doing here. I
did not notice any problems in the supplicant log; the server just seems
to stop answering suddenly (it is supposed to send an empty frame to
request the next fragment of this message).

--

-- 
Jouni Malinen                                            PGP id EFC895FA
Permalink | Reply | 3 comments |
headers
Chuck Tuffli | 2 Aug 2008 00:16
Favicon

WiFi Protected Setup (WPS) update

I have uploaded a new patch against 0.5.10 that removes the dependency on OpenSSL. In addition, you will also find a document that gives a brief overview of WPS, a description of how to configure the supplicant, the commands to start registration, and the new events WPS generates (hopefully useful to things like Network Manager).

You can find both of these in the downloads section of the project on SourceForge

http://sourceforge.net/project/showfiles.php?group_id=234447

---chuck 

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 0 comments |
headers
Sergio | 2 Aug 2008 18:04
Picon
Picon

cross-compiling wpa_supplicant with external libraries

Hi,

recently i built wpa_supplicant.exe with eap-tls support. The goal was 
compile with libeay.a and libssl32.dll into mingw libraties folder and

LIBS += -leay32 -lssl32 into .config file. Really i was lucky because  
there are many examples over internet about how to compile openssl under 
windows, which is useful information. Now i want to compile with pc/sc 
(not too easy), also compile win_if_list.exe and wpa_passphrase.exe and 
others which needs other options for the compiler and other libraries or 
.a files (i suppose). I'd like to ask if anybody knows any web page or 
information somewhere because i want to find this options for myself, 
not trying with examples. Makefile is useful but not much because hurts 
my brain sometimes. Any suggestion?

Thanks
Permalink | Reply | 0 comments |

Gmane