We trying to setup an AP using FreeBSD 8.0 and auth via PEAP and Radius:
hostapd.conf:
interface=wlan0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=freebsdap
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
# Radius:
own_ip_addr=X.Y.Z.AP
nas_identifier=freebsdnas
auth_server_addr=A.B.C.D
auth_server_port=1812
auth_server_shared_secret=teste123
acct_server_addr=A.B.C.D
acct_server_port=1813
acct_server_shared_secret=teste123
# Logs:
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
Starting this server (X.Y.Z.AP) we can get initial traffic between
hostapd and radius server, but there isn't traffic for PEAP when a
station try to connect.
This same station connect using WPA+PEAP to another AP which make AAA on
same radius server (A.B.C.D).
Looking for the sources we have noticed hosaptd is compiled without
-DEAP_PEAP -DEAP_MSCHAPv2, how solve this?
Thanks,
Paulo Fragoso.
_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp...@freebsd.org"
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
# grep -v ^\# /usr/src/contrib/wpa/hostapd/defconfig|grep EAP
CONFIG_EAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y
Which I've crudely verified with
# strings /usr/sbin/hostapd | grep EAP|grep PEAP
PEAP
Regards, Phil.
$ cat /etc/src.conf
HOSTAPD_CFLAGS+=-DEAP_SERVER -DEAP_GTC -DEAP_AKA -DEAP_SIM -DEAP_GPSK
HOSTAPD_CFLAGS+=-DEAP_PAX -DEAP_SAKE
WITH_OPENSSL=YES
and
cd /usr/src/usr.sbin/wpa
make clean all
make install
Now there are many strigs PEAP in hostapd:
$ strings /usr/sbin/hostapd | grep EAP|grep PEAP
PEAP
EAP-PEAP: %s -> %s
EAP-PEAP: CSK
EAP-PEAP: Derived key
EAP-PEAP: Invalid frame
EAP-PEAP: Received TLVs
EAP-PEAP: Cryptobinding TLV
EAP-PEAP: CMK
EAP-PEAP: Result TLV
EAP-PEAP: try EAP type %d
EAP-PEAP: forcing version %d
EAP-PEAPv2: Identity Request
EAP-PEAPv2: Not an EAP TLV
EAP-PEAP: Phase 2 Success
EAP-PEAP: Phase 2 Failure
EAP-PEAP: TK
EAP-PEAP: ISK
EAP-PEAP: TempKey
EAP-PEAP: IMCK (IPMKj)
EAP-PEAP: IPMK (S-IPMKj)
EAP-PEAP: CMK (CMKj)
EAP-PEAP: Compound_MAC CMK
EAP-PEAP: Compound_MAC data 1
EAP-PEAP: Compound_MAC data 2
EAP-PEAP: Compound_MAC
EAP-PEAP: peer did not select the forced version (forced=%d peer=%d) -
reject
EAP-PEAP: peer ver=%d, own ver=%d; use version %d
EAP-PEAP: Failed to derive key
EAP-PEAP: Invalid EAP-TLV header
EAP-PEAP: TLV underrun (tlv_len=%d left=%lu)
EAP-PEAP: Unsupported TLV Type %d%s
EAP-PEAP: Last TLV too short in Request (left=%lu)
EAP-PEAP: Invalid cryptobinding TLV length %d
EAP-PEAP: Cryptobinding TLV Version mismatch (was %d; expected %d)
EAP-PEAP: Unexpected Cryptobinding TLV SubType %d
EAP-PEAP: Invalid Compound_MAC in cryptobinding TLV
EAP-PEAP: Cryptobinding seed data
EAP-PEAP: Valid cryptobinding TLV received
EAP-PEAP: No cryptobinding TLV
EAP-PEAP: Too short Result TLV (len=%lu)
EAP-PEAP: TLV Result - Success - requested %s
EAP-PEAP: TLV Result - Failure - requested %s
EAP-PEAP: Unknown TLV Result Status %d
EAP-PEAP: %s - Phase2 not initialized?!
EAP-PEAP: Phase2 type Nak'ed; allowed types
EAP-PEAP: Phase2 check() asked to ignore the packet
EAP-PEAP: Phase2 method is in pending wait state - save decrypted response
EAP-PEAP: Phase2 method failed
EAP-PEAP: Phase2 getKey failed
EAP_PEAP: Phase2 Identity not found in the user database
EAP-PEAP: %s - unexpected state %d
EAP-PEAP: Encrypting Phase 2 data
EAP-PEAP: Failed to initialize SSL.
EAP-PEAPv2: Add EAP-Payload TLV
EAP-PEAPv2: Failed to allocate memory for TLV encapsulation
EAP-PEAPv2: Phase1 done, include first Phase2 payload in the same message
EAP-PEAPv2: Failed to encrypt Phase 2 data
EAP-PEAPv2: Encrypted Identity Request
EAP-PEAP: received %lu bytes encrypted data for Phase 2
EAP-PEAP: Pending Phase 2 response - skip decryption and use old data
EAP-PEAP: failed to allocate memory for decryption
EAP-PEAP: Failed to decrypt Phase 2 data
EAP-PEAP: Decrypted Phase 2 EAP
EAP-PEAPv2: Too short Phase 2 EAP TLV
EAP-PEAPv2: Invalid EAP TLV length
EAP-PEAPv2: No room for full EAP packet in EAP TLV
EAP-PEAP: Too short Phase 2 EAP frame (len=%lu)
EAP-PEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)
EAP-PEAP: received Phase 2: code=%d identifier=%d length=%lu
EAP-PEAP: Unexpected code=%d in Phase 2 EAP header
EAP-PEAP: Unexpected state %d in %s
EAP-PEAP: Failed to allocate memory for request
EAP-PEAP: Phase1 done, starting Phase2
EAP-PEAP: Phase 2 method not ready
EAP-PEAP: Encrypting Phase 2 TLV data
If WPA2 Enterprise is top of wireless security PEAP should be compiled
in default for hostapd.
Paulo.
Ref:
http://www.pubbs.net/200911/freebsd/13308-problems-moving-hostapd-ap-config-from-64-to-80rc2.html