Hostapd + Radius + PEAP
Paulo Fragoso
paulo at nlink.com.br
Tue Sep 7 14:32:36 UTC 2010
To solve this I've created src.conf file:
$ cat /etc/src.conf
HOSTAPD_CFLAGS+=-DEAP_SERVER -DEAP_GTC -DEAP_AKA -DEAP_SIM -DEAP_GPSK
HOSTAPD_CFLAGS+=-DEAP_PAX -DEAP_SAKE
WITH_OPENSSL=YES
and
cd /usr/src/usr.sbin/wpa
make clean all
make install
Now there are many strigs PEAP in hostapd:
$ strings /usr/sbin/hostapd | grep EAP|grep PEAP
PEAP
EAP-PEAP: %s -> %s
EAP-PEAP: CSK
EAP-PEAP: Derived key
EAP-PEAP: Invalid frame
EAP-PEAP: Received TLVs
EAP-PEAP: Cryptobinding TLV
EAP-PEAP: CMK
EAP-PEAP: Result TLV
EAP-PEAP: try EAP type %d
EAP-PEAP: forcing version %d
EAP-PEAPv2: Identity Request
EAP-PEAPv2: Not an EAP TLV
EAP-PEAP: Phase 2 Success
EAP-PEAP: Phase 2 Failure
EAP-PEAP: TK
EAP-PEAP: ISK
EAP-PEAP: TempKey
EAP-PEAP: IMCK (IPMKj)
EAP-PEAP: IPMK (S-IPMKj)
EAP-PEAP: CMK (CMKj)
EAP-PEAP: Compound_MAC CMK
EAP-PEAP: Compound_MAC data 1
EAP-PEAP: Compound_MAC data 2
EAP-PEAP: Compound_MAC
EAP-PEAP: peer did not select the forced version (forced=%d peer=%d) -
reject
EAP-PEAP: peer ver=%d, own ver=%d; use version %d
EAP-PEAP: Failed to derive key
EAP-PEAP: Invalid EAP-TLV header
EAP-PEAP: TLV underrun (tlv_len=%d left=%lu)
EAP-PEAP: Unsupported TLV Type %d%s
EAP-PEAP: Last TLV too short in Request (left=%lu)
EAP-PEAP: Invalid cryptobinding TLV length %d
EAP-PEAP: Cryptobinding TLV Version mismatch (was %d; expected %d)
EAP-PEAP: Unexpected Cryptobinding TLV SubType %d
EAP-PEAP: Invalid Compound_MAC in cryptobinding TLV
EAP-PEAP: Cryptobinding seed data
EAP-PEAP: Valid cryptobinding TLV received
EAP-PEAP: No cryptobinding TLV
EAP-PEAP: Too short Result TLV (len=%lu)
EAP-PEAP: TLV Result - Success - requested %s
EAP-PEAP: TLV Result - Failure - requested %s
EAP-PEAP: Unknown TLV Result Status %d
EAP-PEAP: %s - Phase2 not initialized?!
EAP-PEAP: Phase2 type Nak'ed; allowed types
EAP-PEAP: Phase2 check() asked to ignore the packet
EAP-PEAP: Phase2 method is in pending wait state - save decrypted response
EAP-PEAP: Phase2 method failed
EAP-PEAP: Phase2 getKey failed
EAP_PEAP: Phase2 Identity not found in the user database
EAP-PEAP: %s - unexpected state %d
EAP-PEAP: Encrypting Phase 2 data
EAP-PEAP: Failed to initialize SSL.
EAP-PEAPv2: Add EAP-Payload TLV
EAP-PEAPv2: Failed to allocate memory for TLV encapsulation
EAP-PEAPv2: Phase1 done, include first Phase2 payload in the same message
EAP-PEAPv2: Failed to encrypt Phase 2 data
EAP-PEAPv2: Encrypted Identity Request
EAP-PEAP: received %lu bytes encrypted data for Phase 2
EAP-PEAP: Pending Phase 2 response - skip decryption and use old data
EAP-PEAP: failed to allocate memory for decryption
EAP-PEAP: Failed to decrypt Phase 2 data
EAP-PEAP: Decrypted Phase 2 EAP
EAP-PEAPv2: Too short Phase 2 EAP TLV
EAP-PEAPv2: Invalid EAP TLV length
EAP-PEAPv2: No room for full EAP packet in EAP TLV
EAP-PEAP: Too short Phase 2 EAP frame (len=%lu)
EAP-PEAP: Length mismatch in Phase 2 EAP frame (len=%lu hdr->length=%lu)
EAP-PEAP: received Phase 2: code=%d identifier=%d length=%lu
EAP-PEAP: Unexpected code=%d in Phase 2 EAP header
EAP-PEAP: Unexpected state %d in %s
EAP-PEAP: Failed to allocate memory for request
EAP-PEAP: Phase1 done, starting Phase2
EAP-PEAP: Phase 2 method not ready
EAP-PEAP: Encrypting Phase 2 TLV data
If WPA2 Enterprise is top of wireless security PEAP should be compiled
in default for hostapd.
Paulo.
Ref:
http://www.pubbs.net/200911/freebsd/13308-problems-moving-hostapd-ap-config-from-64-to-80rc2.html
On 01-06-2010 18:07, Dewayne Geraghty wrote:
> You may need to modify the /usr/src/contrib/wpa/hostapd/defconfig
> to change the build settings. On 8.1 PRERELEASE the EAP_PEAP is
> included in the build configuration file (see below)
>
> # grep -v ^\# /usr/src/contrib/wpa/hostapd/defconfig|grep EAP
> CONFIG_EAP=y
> CONFIG_EAP_MD5=y
> CONFIG_EAP_TLS=y
> CONFIG_EAP_MSCHAPV2=y
> CONFIG_EAP_PEAP=y
> CONFIG_EAP_GTC=y
> CONFIG_EAP_TTLS=y
>
> Which I've crudely verified with
> # strings /usr/sbin/hostapd | grep EAP|grep PEAP
> PEAP
>
> Regards, Phil.
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>
More information about the freebsd-isp
mailing list