WPA2 -EAP TTLS

I have created a wireless AP with hostapd, wpa-psk and it is working fine but want to shift over to wpa-eap with ttls,tls. I get hostapd to function as a radius authenticator and got my certs imported, but fail when authenticating:
config files

hostapd configuration file

interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

ssid=DRAGONS’ PIT
hw_mode=g
channel=10
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
#accept_mac_file=/etc/hostapd/config/wlan0.accept
#deny_mac_file=/etc/hostapd/config/wlan0.deny
auth_algs=3
ignore_broadcast_ssid=0

wmm_enabled=1

Low priority / AC_BK = background

wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0

Note: for IEEE 802.11b mode: cWmin=5 cWmax=10

Normal priority / AC_BE = best effort

wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0

Note: for IEEE 802.11b mode: cWmin=5 cWmax=7

High priority / AC_VI = video

wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0

Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188

Highest priority / AC_VO = voice

wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0

Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102

IEEE 802.1X-2004 related configuration

Require IEEE 802.1X authorization

ieee8021x=1
eapol_version=2
eapol_key_index_workaround=0

RADIUS client configuration

The own IP address of the access point (used as NAS-IP-Address)

own_ip_addr=192.168.2.1

RADIUS authentication server

auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=********

RADIUS authentication server configuration

radius_server_clients=/etc/hostapd/config/wlan0.radius_clients
radius_server_auth_port=1812
radius_server_ipv6=1

WPA/IEEE 802.11i configuration

wpa=3
wpa_passphrase=********
#wpa_psk_file=/etc/hostapd/config/wlan0.wpa_psk
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
wpa_group_rekey=600
wpa_gmk_rekey=86400

eap_server=1
eap_user_file=/etc/hostapd/config/wlan0.eap_user
ca_cert=/etc/hostapd/certs/ca.pem
server_cert=/etc/hostapd/certs/server.pem
private_key=/etc/hostapd/certs/server.pem
private_key_passwd=********


#################################################################################

hostapd.eap_user configuration file

“test1” PEAP “password”
“test1” MD5 “password”
@test.com" TTLS
"
@test.com” MSCHAPV2 “password” [2]
“test1” TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 “password” [2]


#################################################################################

hostapd.radius_client configuration file

192.168.2.0/24 testing123


error log
May 9 14:43:16 SF kernel: 388.942917] wlan0: disassociating from f4:ec:38:b3:3a:c4 by local choice (reason=3)
May 9 14:43:16 SF kernel: 388.954740] cfg80211: Calling CRDA to update world regulatory domain
May 9 14:43:16 SF kernel: 388.957554] wlan0: deauthenticating from f4:ec:38:b3:3a:c4 by local choice (reason=3)
May 9 14:43:16 SF kernel: 388.958300] cfg80211: World regulatory domain updated:
May 9 14:43:16 SF kernel: 388.958303] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
May 9 14:43:16 SF kernel: 388.958305] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
May 9 14:43:16 SF kernel: 388.958307] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
May 9 14:43:16 SF kernel: 388.958309] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
May 9 14:43:16 SF kernel: 388.958310] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
May 9 14:43:16 SF kernel: 388.958312] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
May 9 14:43:17 SF kernel: 389.372860] wlan0: authenticate with f4:ec:38:b3:3a:c4 (try 1)
May 9 14:43:17 SF kernel: 389.375295] wlan0: authenticated
May 9 14:43:17 SF kernel: 389.375492] wlan0: associate with f4:ec:38:b3:3a:c4 (try 1)
May 9 14:43:17 SF kernel: 389.378434] wlan0: RX ReassocResp from f4:ec:38:b3:3a:c4 (capab=0x411 status=0 aid=1)
May 9 14:43:17 SF kernel: 389.378438] wlan0: associated
May 9 14:43:19 SF kernel: 391.382445] wlan0: disassociating from f4:ec:38:b3:3a:c4 by local choice (reason=3)

AP error log
May 9 14:37:17 PHANTOM hostapd: wlan0: STA ac:72:89:22:d4:ef IEEE 802.11: authenticated
May 9 14:37:17 PHANTOM hostapd: wlan0: STA ac:72:89:22:d4:ef IEEE 802.11: associated (aid 1)
May 9 14:37:17 PHANTOM hostapd: wlan0: STA ac:72:89:22:d4:ef IEEE 802.1X: authentication failed - EAP type: 0 (Unknown)
May 9 14:37:17 PHANTOM hostapd: wlan0: STA ac:72:89:22:d4:ef IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)

Can anyone please assist and/or give me direction what i need to change or do, please

you are more likely to get help on this question at hostap@lists.shmoo.com,
which is the Hostap mailing list.

Did try them but no response from the developers, seems they not interested…

I wouldn’t consider myself expert on specifically what you’re doing, but have you at least attempted to address the error mentioned in the last lines of your post?

Looks like a mis-match of EAP type. You’ll have to either modify the Server to match the client or vice versa. I haven’t looked at setting up 802.1x for a long time but I do remember there are numerous possible EAP types to choose from.

BTW - I’d suggest you’re close to success since your logs suggest you’ve successfully passed several prior hurdles before this problem.

HTH,
TS