Re: EAP Session Key Length Not Supported

monkeyking · ‎04-25-2005

I am using Cisco 1100 series AP with PEAP authentication and IAS. I have debugged a long authentication\re-association problem down to the AP rejecting any session key length which is greater than 32! The IAS server attempts to issue session key lengths between approx. 240 and 32 (last stage in the PEAP auth process), if it happens to hit the magic length of 32 then the AP allows the authentication. Any session key greater than 32 will cause the AP to disassociate the client and the client will need to try again. It can take between 1-15 full association->EAP-TLS->PEAP auth attempts (several minutes) to authenticate successfully.

Example of unsuccessful attempt:

.Apr 22 16:39:39: dot11_dot1x_parse_aaa_resp: AAA_AT_MS_MPPE_SEND_KEY session key length 192

.Apr 22 16:39:39: dot11_dot1x_parse_aaa_resp: key length not supported

.Apr 22 16:39:39: dot11_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for xxxx.xxxx.xxxx

.Apr 22 16:39:39: dot11_dot1x_send_response_to_client: Respond not sent to client!

.Apr 22 16:39:39: dot11_dot1x_send_client_fail: Authentication failed for xxxxx.xxxx.xxxx

If anyone has experienced this or knows how to get the 1100 AP to accept a longer (more secure) session key please reply. Thanks.

ebreniz · ‎04-29-2005

You can key in up to 32 ASCII characters.

http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a008031a945.html

monkeyking · ‎05-16-2005

Thanks for that but it doesnt have anything to do with the issue.

Cause: Cisco 1100 AP only support session key lengths of 32

Resolution: Upgrade the W2K3 MS IAS server to SP1 which replaces the RASTLS.DLL (responsible for EAP negotation). This enables IAS to only attempt to issue session key lengths of 32 for CISCO APs!!! =)