eapol_test not displaying VSAs with EAP-PEAP-MSCHAPv2

Jude George jude.george at broadcom.com
Thu Dec 14 17:00:21 PST 2023

I am using eapol_test from wpa_supplicant-2.10-1.el8.x86_64 to log in
to a RADIUS server with PEAP-MSCHAPv2. This is my eapol_test

phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1
tls_disable_tlsv1_2=0 tls_disable_tlsv1_3=1 peapver=0"
phase2="eapauth=MSCHAPV2 mschapv2_retry=0"
subject_match="/C=FR/ST=Radius/O=Example Inc./CN=Example Server
Certificate/emailAddress=admin at example.org"

As you can see, I am using a CA certificate from the server, and it works.

The RADIUS server (FreeRADIUS) authenticates the client, and I can see
from the server output that it is sending a vendor-specific-attribute
(VSA) for this user. However, the eapol_test output does not show this
VSA. Ironically, it does show two other VSAs, regardless of whether I
configure a VSA for this user on the server. Here is an example of the
two other VSAs that it returns:

Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=6 length=171
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371134a19bd9f46da3dce9e765d79015d2b11ab79e8a819dda07121ab59c32d7f963b7e2a5af0d9c4563752d5e48b839d8fa5db774
   Attribute 26 (Vendor-Specific) length=58
      Value: 000001371034a99374092f3a303d6ff4fc1f46705f1e5e2bd08f1c6e4ab4c22905451fe432a03e20e9289cf85146b23b826493fde7524a39

However, the contents of these VSAs appear to be gibberish, or perhaps
they are encrypted. Again -- these two VSAs show up even if I have not
configured a VSA for this user on the FreeRADIUS server. And in fact,
the contents of these VSAs is different with every invocation of
eapol_test. They change every time I run eapol_test.

If I use either EAP-TLS or EAP-TTLS-PAP instead of EAP-PEAP-MSCHAPv2,
then I do see the correct VSA being returned with the successful
authentication response for this user 'ken':

Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=87
   Attribute 26 (Vendor-Specific) length=23
      Value: 000038a501117265706f727465722c20776865656c

I have decoded the hex for this VSA and it is correct. It is length
23, and the first 5 bytes (0x000038a501) are the VSA code, the next
byte (0x11) is the length specifier, and the final bytes (0x72
onwards) are the actual VSA string encoded in ASCII ("reporter,

My problem is, I need to use EAP-PEAP-MSCHAPv2, not EAP-TLS or EAP-TTLS-PAP.

How can I get my true VSA to show up in eapol_test's output when I use

Thank you.

Jude George
Broadcom, Inc.

This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4206 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20231214/ff1f0aaf/attachment.p7s>

More information about the Hostap mailing list