eapol_test, MSCHAPv2 and E=691,R=1

Stefan Winter stefan.winter
Mon Mar 31 23:50:34 PDT 2014


apologies for the cryptic Subject :-)

We use eapol_test to do some extensive error condition checking on
eduroam RADIUS/EAP servers.

I have recently encountered a condition where the remote RADIUS server
behaves correctly, but eapol_test does its best to make me believe it's
not :-)

The issue comes when authenticating with PEAP-MSCHAPv2, supplying a
*wrong* password in the wpa_supplicant.conf settings, and having a
server on the other end which is configured to support MSCHAPv2 retries.

The exact problematic behaviour is this:

* ... EAP session setup with TLS as normal
* ... MSCHAP-Challenge sent, wrong response from eapol_test
* RADIUS/EAP server sends an *Access-Challenge* with E=691,R=1
(authentication failure, retry allowed)
* eapol_test does not send the password again; but also does not send
anything else
* eapol_test bails out after timeout

For scripts which expect a proper RADIUS conversation termination, this
looks extremely fishy: the last incoming packet was a a Challenge, so
the server never finished the EAP state machine properly.

I am wondering how to do this better; MSCHAPv2 doesn't have a response
by the client along the lines of "Thank you for allowing me to retry,
but I'd rather not - Goodbye". So I'm somewhat sympathetic for
eapol_test to just remain silent.

however: couldn't eapol_test just send a TLS Close/Alert in response,
thus requesting the outer EAP to be torn down? This would very probably
trigger an Access-Reject from the server, and all is fine.

Alternatively, if it really sends nothing, could it return to the
command-line immediately instead? Waiting for the timeout is of no real
use here; both ends have stopped talking to each other, so there is
nothing that could resolve the situation anyway. Going back to the
command-line with FAILURE immediately would have the benefit of working
time measurements that check the duration of the EAP conversation
(something we also do).


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140401/c09261ba/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140401/c09261ba/attachment-0001.pgp>

More information about the Hostap mailing list