eapol_test, MSCHAPv2 and E=691,R=1
Stefan Winter
stefan.winter
Mon Mar 31 23:50:34 PDT 2014
Hi,
apologies for the cryptic Subject :-)
We use eapol_test to do some extensive error condition checking on
eduroam RADIUS/EAP servers.
I have recently encountered a condition where the remote RADIUS server
behaves correctly, but eapol_test does its best to make me believe it's
not :-)
The issue comes when authenticating with PEAP-MSCHAPv2, supplying a
*wrong* password in the wpa_supplicant.conf settings, and having a
server on the other end which is configured to support MSCHAPv2 retries.
The exact problematic behaviour is this:
* ... EAP session setup with TLS as normal
* ... MSCHAP-Challenge sent, wrong response from eapol_test
* RADIUS/EAP server sends an *Access-Challenge* with E=691,R=1
(authentication failure, retry allowed)
* eapol_test does not send the password again; but also does not send
anything else
* eapol_test bails out after timeout
For scripts which expect a proper RADIUS conversation termination, this
looks extremely fishy: the last incoming packet was a a Challenge, so
the server never finished the EAP state machine properly.
I am wondering how to do this better; MSCHAPv2 doesn't have a response
by the client along the lines of "Thank you for allowing me to retry,
but I'd rather not - Goodbye". So I'm somewhat sympathetic for
eapol_test to just remain silent.
however: couldn't eapol_test just send a TLS Close/Alert in response,
thus requesting the outer EAP to be torn down? This would very probably
trigger an Access-Reject from the server, and all is fine.
Alternatively, if it really sends nothing, could it return to the
command-line immediately instead? Waiting for the timeout is of no real
use here; both ends have stopped talking to each other, so there is
nothing that could resolve the situation anyway. Going back to the
command-line with FAILURE immediately would have the benefit of working
time measurements that check the duration of the EAP conversation
(something we also do).
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - R?seau T?l?informatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140401/c09261ba/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140401/c09261ba/attachment-0001.pgp>
More information about the Hostap
mailing list