WPA-Enterprise with TTLS fails to authenticate (from Windows ok, but Linux fails).

Alan DeKok aland at deployingradius.com
Mon Sep 24 13:30:45 CEST 2007


Janusz Syrytczyk wrote:
> Problem is that I cannot authenticate to my network with wpa_supplicant, 
> although I could, and from Windows & Secure2w TTLS wrapper - I can. I use 
> Gentoo and did some upgrades (but nothing special I guess, kernel is the 
> same, and wpa_supplicant also)
...
> Ready to process requests.
 < deleted>
>         EAP-Message = 0x020200060315
...
>  rlm_eap: EAP-NAK asked for EAP-Type/ttls

  So the server starts EAP-TTLS:

> Sending Access-Challenge of id 90 to 217.173.193.40 port 4347
>         EAP-Message = 0x010300061520

  The server increments the EAP id (byte 2 of the EAP-Message)

> rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, 
> length=201
...
>         EAP-Message = 0x020200060315

  And the supplicant responds with an EAP NAK, sating "No, I want EAP-TTLS".

  Either the AP is broken, or the supplicant is broken.  The supplicant
SHOULD NOT send back a NAK for something it just asked for.  It should
also increment the EAP id field (byte 2).  Instead, it re-uses the EAP Id.

  If the AP is broken, then it's the one that decides to NOT send the
EAP-TTLS start to the supplicant.  Instead, it just echoes back the NAK
that the supplicant previously sent.

  Check the supplicant logs.  If it's really sending the NAK twice, then
it is broken.  If it's sending the NAK once, then the AP is broken.

  Alan DeKok.



More information about the Freeradius-Users mailing list