can't get WPA/2 and EAP-TTLS to work

William Bulley web at umich.edu
Fri Feb 15 18:03:16 CET 2008


The wpa_supplicant keeps looping looking for missing keys
accordint to Jouni.  I suspected my Cisco access point was
not configured properly, but Cisco claims that FreeRADIUS is
asking the access point about dynamic VLANs which aren't even
configured in FreeRADIUS (see configurations below).

     +-----------------------------------+
     | ThinkPad T42 with D-Link DWL-G660 |
     | (ath0) on FreeBSD 6.2-STABLE      |
     | running wpa_supplicant 0.4.8      |
     +-----------------------------------+
                      ^
           802.1X     |    WPA/2 EAP-TTLS
                      v
   +---------------------------------------+
   | Cisco 1131AG 802.11a/b/g AP  IOS 12.4 |
   +---------------------------------------+
                      ^
          EAP-TTLS    |    RADIUS
                      v
     +-----------------------------------+
     | FreeRADIUS 1.1.7_2 on FreeBSD 7.0 |
     +-----------------------------------+

It almost works in that authentication succeeds (see debug log file
output), but the complete 802.1x connection does not succeed, hence
the looping behaviour...

 =*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

network={
    ssid="testing"
    bssid=00:xx:yy:yy:zz:zz
    proto=RSN
    key_mgmt=WPA-EAP
    eap=TTLS
    anonymous_identity="anonymous"
    identity="foo"
    password="password"
    phase2="auth=MD5"
}

 =*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=

eap {
    default_eap_type = ttls
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = yes

    md5 {
    }

    tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/cert-srv.pem
        certificate_file = ${raddbdir}/certs/cert-srv.pem
        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        fragment_size = 1024
        include_length = yes
        cipher_list = "DEFAULT"
    }

    ttls {
        default_eap_type = md5
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }
}

 =*=*=*=*=*=*=*=*=*= FreeRADIUS users =*=*=*=*=*=*=*=*=*=*=*=

foo     User-Password == "password"

 =*=*=*=*=*=*=*=*= simplified radiusd.conf =*=*=*=*=*=*=*=*=*=*=

[snip] less important stuff omitted [/snip]

$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/eap.conf

instantiate {
}

authorize {
    preprocess
    auth_log
    eap
    files
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }
    eap
}

preacct {
    preprocess
    acct_unique
}

accounting {
    detail
}

post-auth {
    reply_log
}

 =*=*=*=*=*=*=*=*= -Xxx debug output snippet =*=*=*=*=*=*=*=*=*=

Thu Feb 14 08:41:05 2008 : Debug:   Processing the authorize section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group authorize for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "preprocess" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling auth_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug: radius_xlat:  '/var/log/radacct/www.xxx.yyy.zzz/auth-20080214'
Thu Feb 14 08:41:05 2008 : Debug: rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /var/log/rada
cct/www.xxx.yyy.zzz/auth-20080214
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from auth_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "auth_log" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: EAP packet type response id 7 length 112
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "eap" returns updated for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling files (rlm_files) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from files (rlm_files) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "files" returns notfound for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 6
Thu Feb 14 08:41:05 2008 : Debug: rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fai
l because of this.
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "pap" returns noop for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group authorize (returns updated) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Thu Feb 14 08:41:05 2008 : Debug: auth: type "EAP"
Thu Feb 14 08:41:05 2008 : Debug:   Processing the authenticate section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group authenticate for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: Request found, released from the list
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: EAP/ttls
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: processing type ttls
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap_ttls: Authenticate
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap_tls: processing TLS
Thu Feb 14 08:41:05 2008 : Debug:   eaptls_verify returned 7
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap_tls: Done initial handshake
Thu Feb 14 08:41:05 2008 : Debug:   eaptls_process returned 7
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
Thu Feb 14 08:41:05 2008 : Debug:   TTLS: Adding old state with 29 1f
Thu Feb 14 08:41:05 2008 : Debug:   Processing the authorize section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group authorize for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling preprocess (rlm_preprocess) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "preprocess" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling auth_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug: radius_xlat:  '/var/log/radacct/127.0.0.1/auth-20080214'
Thu Feb 14 08:41:05 2008 : Debug: rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /var/log/rada
cct/127.0.0.1/auth-20080214
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from auth_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "auth_log" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: EAP packet type response id 7 length 22
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "eap" returns updated for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling files (rlm_files) for request 6
Thu Feb 14 08:41:05 2008 : Debug:     users: Matched entry foo at line 217
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from files (rlm_files) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "files" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: calling pap (rlm_pap) for request 6
Thu Feb 14 08:41:05 2008 : Debug: rlm_pap: Found existing Auth-Type, not changing it.
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authorize]: returned from pap (rlm_pap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authorize]: module "pap" returns noop for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group authorize (returns updated) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rad_check_password:  Found Auth-Type EAP
Thu Feb 14 08:41:05 2008 : Debug: auth: type "EAP"
Thu Feb 14 08:41:05 2008 : Debug:   Processing the authenticate section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group authenticate for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authenticate]: calling eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: Request found, released from the list
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: EAP/md5
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: processing type md5
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: Freeing handler
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authenticate]: module "eap" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group authenticate (returns ok) for request 6
Thu Feb 14 08:41:05 2008 : Error: Trying to look up name of unknown client 127.0.0.1.
Thu Feb 14 08:41:05 2008 : Auth: Login OK: [foo/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 262 cli 0
0-13-46-C1-7A-01)
Thu Feb 14 08:41:05 2008 : Debug:   Processing the post-auth section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group post-auth for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[post-auth]: calling reply_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug: radius_xlat:  '/var/log/radacct/127.0.0.1/reply-detail-20080214'
Thu Feb 14 08:41:05 2008 : Debug: rlm_detail: /var/log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/
log/radacct/127.0.0.1/reply-detail-20080214
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[post-auth]: returned from reply_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[post-auth]: module "reply_log" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group post-auth (returns ok) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   TTLS: Got tunneled Access-Accept
Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create attribute MS-MPPE-Recv-Key: Unknown attribute
"MS-MPPE-Recv-Key"
Thu Feb 14 08:41:05 2008 : Debug: rlm_eap_tls: add_reply failed to create attribute MS-MPPE-Send-Key: Unknown attribute
"MS-MPPE-Send-Key"
Thu Feb 14 08:41:05 2008 : Debug:   rlm_eap: Freeing handler
Thu Feb 14 08:41:05 2008 : Debug:   TTLS: Freeing handler for user foo
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[authenticate]: returned from eap (rlm_eap) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[authenticate]: module "eap" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group authenticate (returns ok) for request 6
Thu Feb 14 08:41:05 2008 : Auth: Login OK: [anonymous/<no User-Password attribute>] (from client hotbox port 2
62 cli 00-xx-yy-yy-zz-zz)
Thu Feb 14 08:41:05 2008 : Debug:   Processing the post-auth section of radiusd.conf
Thu Feb 14 08:41:05 2008 : Debug: modcall: entering group post-auth for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[post-auth]: calling reply_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug: radius_xlat:  '/var/log/radacct/www.xxx.yyy.zzz/reply-detail-20080214'
Thu Feb 14 08:41:05 2008 : Debug: rlm_detail: /var/log/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/
log/radacct/www.xxx.yyy.zzz/reply-detail-20080214
Thu Feb 14 08:41:05 2008 : Debug:   modsingle[post-auth]: returned from reply_log (rlm_detail) for request 6
Thu Feb 14 08:41:05 2008 : Debug:   modcall[post-auth]: module "reply_log" returns ok for request 6
Thu Feb 14 08:41:05 2008 : Debug: modcall: leaving group post-auth (returns ok) for request 6
Sending Access-Accept of id 42 to www.xxx.yyy.zzz port 1645
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "foo\000"
        EAP-Message = 0x03070004                           <<<<===== this looks like success [EAP code == 3]
Thu Feb 14 08:41:05 2008 : Debug: Finished request 6
Thu Feb 14 08:41:05 2008 : Debug: Going to the next request
Thu Feb 14 08:41:05 2008 : Debug: Waking up in 6 seconds...


 =*=*=*=*=*=*=*=*= Cisco debug log snippet =*=*=*=*=*=*=*=*=*=

Feb 14 13:40:56.976: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 00xx.yyyy.zzzz
Feb 14 13:40:56.976: dot11_auth_dot1x_send_response_to_server: Sending client 00xx.yyyy.zzzz data to server
Feb 14 13:40:56.977: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
Feb 14 13:40:56.990: dot11_auth_dot1x_parse_aaa_resp: Received server response: PASS
Feb 14 13:40:56.990: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Feb 14 13:40:56.990: dot11_auth_server_chk_ssid: Checking for SSID in server attributes
Feb 14 13:40:56.990: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes
Feb 14 13:40:56.990: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_PASS) for 00xx.yyyy.zzzz
Feb 14 13:40:56.990: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 00xx.yyyy.zzzz
Feb 14 13:40:56.990: EAPOL pak dump tx
Feb 14 13:40:56.990: EAPOL Version: 0x1  type: 0x0  length: 0x0004
Feb 14 13:40:56.991: EAP code: 0x3  id: 0x7  length: 0x0004              <<<<<=====  [EAP success code == 3]
01802DA0: 01000004 03070004                    ........
Feb 14 13:40:56.991: dot11_auth_send_msg:  sending data to requestor status 1
Feb 14 13:40:56.991: dot11_auth_send_msg: Sending EAPOL to requestor
Feb 14 13:40:56.991: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 14 13:40:56.991: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
Feb 14 13:40:56.991: dot11_auth_send_msg:  sending data to requestor status 2
Feb 14 13:40:56.991: dot11_auth_send_msg: resp->nsk_len 0 resp->auth_key_len 0
Feb 14 13:40:56.992: dot11_auth_send_msg: client authenticated 00xx.yyyy.zzzz, node_type 64 for application 0x1
Feb 14 13:40:56.992: dot11_auth_delete_client_entry: 00xx.yyyy.zzzz is deleted for application 0x1
Feb 14 13:40:56.992: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 14 13:40:56.998: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.
Feb 14 13:40:56.998: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
Feb 14 13:40:57.092: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 14 13:40:57.093: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.
Feb 14 13:40:57.093: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
Feb 14 13:40:57.192: dot1x-registry:registry:dot1x_ether_macaddr called
Feb 14 13:40:57.193: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.
Feb 14 13:40:57.193: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
Feb 14 08:40:57.292 -0500: %DOT11-7-AUTH_FAILED: Station 00xx.yyyy.zzzz Authentication failed
                                    ^^^^^^^^^^^                         ^^^^^^^^^^^^^^^^^^^^^
Clearly the access point isn't helping here...

 =*=*=*=*=*=*=*=*=*=*=*=*= wpa_supplicant "-dd" output =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

Initializing interface 'ath0' conf '/etc/wpa_supplicant.conf' driver 'default' ctrl_interface 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0 (from group name 'wheel')
Line: 7 - start of a new network block
ssid - hexdump_ascii(len=7):
     74 65 73 74 69 6e 67                              testing
BSSID - hexdump(len=6): 00 xx xx xx xx xx
proto: 0x2
key_mgmt: 0x1
eap methods - hexdump(len=2): 15 00
anonymous_identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
identity - hexdump_ascii(len=3):
     66 6f 6f                                          foo             
password - hexdump_ascii(len=8): [REMOVED]
phase2 - hexdump_ascii(len=11):
     61 75 74 68 65 61 70 3d 4d 44 35                  autheap=MD5     
Priority group 0
   id=0 ssid='testing'
Initializing interface (2) 'ath0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
Own MAC address: 00:xx:xx:xx:xx:xx
wpa_driver_bsd_set_wpa: enabled=1
wpa_driver_bsd_set_wpa_internal: wpa=3 privacy=1
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_set_countermeasures: enabled=0
wpa_driver_bsd_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Added interface ath0
State: DISCONNECTED -> SCANNING
Starting AP scan (broadcast SSID)
Received 0 bytes of scan results (7 BSSes)
Scan results: 7
Selecting BSS from priority group 0
0: 00:xx:xx:xx:xx:xx ssid='JoesROOM' wpa_ie_len=0 rsn_ie_len=22 caps=0x31
   skip - SSID mismatch
1: 00:xx:xx:xx:xx:xx ssid='testing' wpa_ie_len=0 rsn_ie_len=22 caps=0x31
   selected based on RSN IE
Trying to associate with 00:xx:xx:xx:xx:xx (SSID='testing' freq=2442 MHz)
Cancelling scan request
WPA: clearing own WPA/RSN IE
Automatic auth_alg selection: 0x1
wpa_driver_bsd_set_auth_alg alg 0x1 authmode 1
RSN: using IEEE 802.11i/D9.0
WPA: Selected cipher suites: group 16 pairwise 16 key_mgmt 1
WPA: clearing AP WPA IE
WPA: set AP RSN IE - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 28 00
WPA: using GTK CCMP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
No keys have been configured - skip key clearing
wpa_driver_bsd_set_drop_unencrypted: enabled=1
State: SCANNING -> ASSOCIATING
wpa_driver_bsd_associate: ssid 'testing' wpa ie len 22 pairwise 3 group 3 key mgmt 0
wpa_driver_bsd_associate: set PRIVACY 1
Setting authentication timeout: 10 sec 0 usec
EAPOL: External notification - portControl=Auto
RSN: Ignored PMKID candidate without preauth flag
State: ASSOCIATING -> ASSOCIATED
Associated to a new BSS: BSSID=00:xx:xx:xx:xx:xx
No keys have been configured - skip key clearing
Associated with 00:xx:xx:xx:xx:xx
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=48): 01 00 00 33 01 01 00 33 01 00 6e 65 74 77 6f 72 6b 69 64 3d 74 65 73 74 69 6e 67 2c 6e 61 73 69 64 3d 63 69 73 63 6f 2c 70 6f 72 74 69 64 3d 30
Setting authentication timeout: 70 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=1
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=39):
     00 6e 65 74 77 6f 72 6b 69 64 3d 74 65 73 74 69   _networkid=testi
     6e 67 2c 6e 61 73 69 64 3d 63 69 73 63 6f 2c 70   ng,nasid=cisco,p
     6f 72 74 69 64 3d 30                              ortid=0  
EAP: using anonymous identity - hexdump_ascii(len=9):
     61 6e 6f 6e 79 6d 6f 75 73                        anonymous
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=18): 01 00 00 18 02 01 00 18 01 61 6e 6f 6e 79 6d 6f 75 73 
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=46): 01 00 00 06 01 02 00 06 15 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=2
EAP: EAP entering state GET_METHOD
EAP: initialize selected EAP method (21, TTLS)
EAP-TTLS: Phase2 type: EAP
EAP-TTLS: Phase2 EAP types - hexdump(len=1): 04
CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TTLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 100 bytes pending from ssl_out
SSL: 100 bytes left to be sent out (of total 100 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=110): 01 00 00 6a 02 02 00 6a 15 00 16 03 01 00 5f 01 00 00 5b 03 01 47 a9 b1 f0 85 22 af ea 08 17 80 24 ee a6 61 19 34 ba 99 d9 94 9d 0e b6 d6 31 ff 6b 83 ac f9 a0 00 00 34 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03 01 00
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=1038): [deleted]
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=3
EAP: EAP entering state METHOD
SSL: Received packet(len=1034) - Flags 0xc0
SSL: TLS Message Length: 2126
SSL: Need 1102 bytes more input data
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=10): 01 00 00 06 02 03 00 06 15 00
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=1038): [deleted]
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=4
EAP: EAP entering state METHOD
SSL: Received packet(len=1034) - Flags 0xc0
SSL: TLS Message Length: 2126
SSL: Need 78 bytes more input data
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=10): 01 00 00 06 02 04 00 06 15 00
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=92): 01 00 00 58 01 05 00 58 15 80 00 00 08 4e 9e 69 96 15 00 d2 3a 5a a5 8a 72 56 25 f3 2e fe 2c 1c ac b1 88 a7 de a7 1d 18 94 5e ac 5a 1e 15 cc c6 3d 2d 98 96 87 4b 1e a6 4e 93 50 33 c5 c0 c0 ac 67 8b bc d3 fc 8d 8f 63 04 21 90 77 06 ec 1e 94 85 b6 a2 16 03 01 00 04 0e 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=5
EAP: EAP entering state METHOD
SSL: Received packet(len=88) - Flags 0x80
SSL: TLS Message Length: 2126
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server certificate A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server key exchange A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server done A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client key exchange A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write change cipher spec A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write finished A
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 flush data
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read finished A
SSL: SSL_connect - want more data
SSL: 134 bytes pending from ssl_out
SSL: 134 bytes left to be sent out (of total 134 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=144): 01 00 00 8c 02 05 00 8c 15 00 16 03 01 00 46 10 00 00 42 00 40 82 45 b6 b2 83 6a 15 52 cb c1 d8 7c 57 05 4d da aa fd 65 d4 73 2c 86 fd d9 99 12 17 b2 a5 f1 de 68 80 81 6e df dd fc d2 3e 8e 2a fe 72 61 34 55 9d 92 85 3b 21 27 5e 72 e2 bc 2c 7c 21 61 e8 a1 14 03 01 00 01 01 16 03 01 00 30 be 1e 85 a3 09 4b 34 31 17 06 74 06 a8 18 0d 7d 91 08 75 66 9d 19 07 71 b0 2a 55 51 b3 fd 51 d9 41 08 54 c8 7d 7e b6 64 95 7d 28 89 97 18 02 7a
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=73): 01 00 00 45 01 06 00 45 15 80 00 00 00 3b 14 03 01 00 01 01 16 03 01 00 30 4d 08 fa 7d 74 55 0c d1 da f0 32 ac f8 71 4e c6 1d a3 17 de de 23 fa 43 9d 09 aa 60 c9 e3 ff 59 c3 98 49 9c e5 54 0e 28 76 8e 25 a1 a7 96 7f 6e
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=6
EAP: EAP entering state METHOD
SSL: Received packet(len=69) - Flags 0x80
SSL: TLS Message Length: 59
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read finished A
SSL: (where=0x20 ret=0x1)
SSL: (where=0x1002 ret=0x1)
SSL: 0 bytes pending from ssl_out
SSL: No data to be sent out
EAP-TTLS: TLS done, proceed to Phase 2
EAP-TTLS: Derived key - hexdump(len=64): [REMOVED]
EAP-TTLS: received 0 bytes encrypted data for Phase 2
EAP-TTLS: empty data in beginning of Phase 2 - use fake EAP-Request Identity
EAP-TTLS: Phase 2 EAP Request: type=1
EAP: using real identity - hexdump_ascii(len=3):
     66 6f 6f                                          foo             
EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=8): 02 06 00 08 01 66 6f 6f
EAP-TTLS: Encrypting Phase 2 data - hexdump(len=16): [REMOVED]
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=100): 01 00 00 60 02 06 00 60 15 00 17 03 01 00 20 b5 05 8a a6 5e 78 16 9e e2 f6 fd 52 6e 86 d6 42 69 36 a7 3f 3b b1 80 12 13 6a 29 7f 91 8a b3 b0 17 03 01 00 30 b8 41 cc 87 65 b4 21 f6 ad b2 9e 1b d8 12 be f1 2f b0 60 ca ac 14 70 61 d6 93 4b 56 e0 de 32 40 4c b5 96 f4 92 08 ae 2b 34 42 63 6c d0 09 a8 f6
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=83): 01 00 00 4f 01 07 00 4f 15 80 00 00 00 45 17 03 01 00 40 ea 30 50 29 6d a3 63 42 7f 47 0c 98 01 af 14 f3 f4 44 cc 76 a1 20 7d 85 47 42 de f3 76 16 48 79 ab 95 2d d5 c0 c4 ff 5a 3f 42 1c 6c 04 92 f7 f2 13 b8 12 8b 9b e1 49 d7 c7 4b 9a e2 23 42 60 8b
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=21 id=7
EAP: EAP entering state METHOD
SSL: Received packet(len=79) - Flags 0x80
SSL: TLS Message Length: 69
EAP-TTLS: received 69 bytes encrypted data for Phase 2
EAP-TTLS: Decrypted Phase 2 AVPs - hexdump(len=32): 00 00 00 4f 40 00 00 1e 01 07 00 16 04 10 f0 7d 0e 84 ea da c9 80 d7 2b bd f0 76 2f 03 80 00 00
EAP-TTLS: AVP: code=79 flags=0x40 length=30
EAP-TTLS: AVP data - hexdump(len=22): 01 07 00 16 04 10 f0 7d 0e 84 ea da c9 80 d7 2b bd f0 76 2f 03 80
EAP-TTLS: AVP - EAP Message
EAP-TTLS: Phase 2 EAP - hexdump(len=22): 01 07 00 16 04 10 f0 7d 0e 84 ea da c9 80 d7 2b bd f0 76 2f 03 80
EAP-TTLS: received Phase 2: code=1 identifier=7 length=22
EAP-TTLS: Phase 2 EAP Request: type=4
EAP-TTLS: Selected Phase 2 EAP method 4
EAP-MD5: Challenge - hexdump(len=16): f0 7d 0e 84 ea da c9 80 d7 2b bd f0 76 2f 03 80
EAP-MD5: generating Challenge Response
EAP-MD5: Response - hexdump(len=16): 7a ba fd 26 e7 f0 62 3d c8 87 1d 1c bf 89 28 7e
EAP-TTLS: AVP encapsulate EAP Response - hexdump(len=22): 02 07 00 16 04 10 7a ba fd 26 e7 f0 62 3d c8 87 1d 1c bf 89 28 7e
EAP-TTLS: Encrypting Phase 2 data - hexdump(len=32): [REMOVED]
EAP-TTLS: Authentication completed successfully
EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=116): 01 00 00 70 02 07 00 70 15 00 17 03 01 00 20 47 89 49 56 e6 61 64 d4 ef 83 a2 87 80 6a 8c 6d c7 6e 75 75 59 17 1f f4 6b 29 73 25 6b ba dd 9f 17 03 01 00 40 de a7 87 c8 51 85 32 1b 58 6a 2b 40 24 2c 33 52 16 f5 82 40 00 d6 27 5a ca 41 4e 1c d1 99 20 cf 72 28 98 04 5c b6 18 7b f4 e8 86 6c d3 7b d1 ff d8 6a 0e fd d5 ab ad bd 75 08 f8 a8 a7 08 59 54
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=46): 01 00 00 04 03 07 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 01 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
IEEE 802.1X RX: version=2 type=3 length=117
  EAPOL-Key type=2
WPA: RX EAPOL-Key - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 01 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
State: ASSOCIATED -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:xx:xx:xx:xx:xx (ver=2)
RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
RSN: PMKID from Authenticator - hexdump(len=16): 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
RSN: no matching PMKID found
WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
RSN: added PMKSA cache entry for 00:xx:xx:xx:xx:xx
RSN: no PMKSA entry found - trigger full EAP authentication
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 02 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 43 41 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00
EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
IEEE 802.1X RX: version=2 type=3 length=117
  EAPOL-Key type=2
WPA: RX EAPOL-Key - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 02 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 43 41 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00
State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:xx:xx:xx:xx:xx (ver=2)
RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 43 41 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00
RSN: PMKID from Authenticator - hexdump(len=16): 43 41 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00
RSN: no matching PMKID found
WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
WPA: reusing previous PMKSA entry
RSN: no PMKSA entry found - trigger full EAP authentication
RX EAPOL from 00:xx:xx:xx:xx:xx
RX EAPOL - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 03 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
IEEE 802.1X RX: version=2 type=3 length=117
  EAPOL-Key type=2
WPA: RX EAPOL-Key - hexdump(len=121): 02 03 00 75 02 00 8a 00 10 00 00 00 00 00 00 00 03 17 07 47 46 61 66 67 b9 96 02 eb b4 94 ce ed cc c7 33 13 1d 59 bb d6 6e 3b 59 08 ef e9 9c f5 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:xx:xx:xx:xx:xx (ver=2)
RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
RSN: PMKID from Authenticator - hexdump(len=16): 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
RSN: no matching PMKID found
WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
WPA: reusing previous PMKSA entry
RSN: no PMKSA entry found - trigger full EAP authentication
Setting scan request: 0 sec 100000 usec
Added BSSID 00:xx:xx:xx:xx:xx into blacklist
State: 4WAY_HANDSHAKE -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
wpa_driver_bsd_del_key: keyidx=0
wpa_driver_bsd_del_key: keyidx=1
wpa_driver_bsd_del_key: keyidx=2
wpa_driver_bsd_del_key: keyidx=3
wpa_driver_bsd_del_key: addr=00:00:00:00:00:00 keyidx=0
State: DISCONNECTED -> SCANNING

 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

When I contacted Cisco support, they said the two following lines
which are from the above Cisco debug logs:

Feb 14 13:40:56.990: dot11_auth_server_chk_ssid: Checking for SSID in server attributes
Feb 14 13:40:56.990: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes

indicated to them that FreeRADIUS was sending dynamic VLAN attributes
to the access point.  I do not have any VLAN or other tunnelling
attributes set on the FreeRADIUS side.

Jouni suggested that these lines from the wpa_supplicant "-dd"
debug log above:

RSN: PMKID from Authenticator - hexdump(len=16): 42 4e 00 ff 53 4d 42 25 00 00 00 00 00 00 00 00
RSN: no matching PMKID found
WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED]
RSN: added PMKSA cache entry for 00:xx:xx:xx:xx:xx
RSN: no PMKSA entry found - trigger full EAP authentication

indicated that the access point is not sending the correct keys.

I cannot understand whether my problems lie in the FreeRADIUS area
(my misconfiguration of which) or in the Cisco access point (my
misconfiguration of which).  I would be happy to include all or
parts of my Cisco running configuration if necessary, but this
email message is already too long.

Regards,

web...

--
William Bulley                     Email: web at umich.edu




More information about the Freeradius-Users mailing list