Can I run eapol_test in interactive mode for PEAP testing?

Arne Bier arnebier at gmail.com
Sun May 14 19:00:17 PDT 2017 

Hello again

I haven't received a reply to my question.

Please redirect me to another email alias if this is not the correct
forum for this question.

thanks and regards

On 26 April 2017 at 14:48, Arne Bier <arnebier at gmail.com> wrote:
>
> Hi
>
> I just recently discovered wpa_supplicant and I am a big fan - my use
> case was to find a mechanism to test radius servers without using any
> real networking infrastructure - hence, I gravitated to eapol_test
>
> It's working really well except for one use case:  when testing
> eap-peap authentications I am unable to go into interactive mode to
> simulate a user typing in a wrong credential (which causes the
> authenticating server to issue an EAP Challenge response).  eapol_test
> doesn't handle this challenge and then the EAP conversation times out.
> It would be useful to test the case where a user provides the
> incorrect credentials, and have the authenticating server exhaust his
> attempts and return an Access-Reject (for example).
>
> Currently with one (wrong) credential eapol_test fails as follows
>
> EAP-MSCHAPV2: error 691
> EAP-MSCHAPV2: retry is allowed
> EAP-MSCHAPV2: failure challenge - hexdump(len=16): 75 0f 88 f7 73 1a
> 31 57 f9 48 6a 75 65 87 a3 1b
> EAP-MSCHAPV2: password changing protocol version 3
> EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)
> EAPOL: EAP parameter needed
> EAPOL: EAP parameter needed
> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: startWhen --> 0
> EAPOL test timed out
> EAPOL: EAP key not available
> EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
> ENGINE: engine deinit
> MPPE keys OK: 0  mismatch: 1
> FAILURE
>
> But my radius server never receives an Access-Reject, since the EAP
> conversation got abandoned.
>
> I have tried to see whether I could use wpa_cli, but it seems that it
> relies on wpa_supplicant, and hence, a real wireless adapter.
>
> How tricky/easy would it be to add an interactive mode to eapol_test?
> Or failing that, the ability to specify multiple credentials that one
> could enter into the .conf file
>
> network={
>         ssid="example"
>         key_mgmt=WPA-EAP
>         eap=PEAP
>         identity="bob"
>         anonymous_identity="anonymous"
>         password="mysupersecretpassword"
>         phase2="autheap=MSCHAPV2"
> #
> #  Would this work, to get eapol_test to engage in EAP Challenge?
> #       password2="myotherpassword"
> #       password3="lasttry"
>
> thanks and regards
> Arne

More information about the Hostap mailing list