eapol_test not displaying VSAs with EAP-PEAP-MSCHAPv2

Alan DeKok aland at deployingradius.com
Fri Dec 15 05:41:21 PST 2023

On Dec 14, 2023, at 8:00 PM, Jude George <jude.george at broadcom.com> wrote:
> The RADIUS server (FreeRADIUS) authenticates the client, and I can see
> from the server output that it is sending a vendor-specific-attribute
> (VSA) for this user. However, the eapol_test output does not show this
> VSA. Ironically, it does show two other VSAs, regardless of whether I
> configure a VSA for this user on the server.

  The two VSAs are MS-MPPE-Recv-Key, and MS-MPPE-Send-Key.  They're part of the EAP standards.  Almost all EAP methods will result in these attributes being sent in an Access-Accept.

  The attributes depend on various cryptographic calculations, so they will be different on every authentication attempt.

> How can I get my true VSA to show up in eapol_test's output when I use

  Use wireshark.

  FreeRADIUS ships with over 100 dictionaries, with nearly 10,000 VSAs.  hostap / eapol_test doesn't include those dictionaries, and therefore doesn't do any VSA decoding.  So it just prints them as hex.

  The choices here are:

a) read the VSAs as raw hex on hostap

b) use wireshark to look at the packet trace.  wireshark includes the FreeRADIUS dictionaries, so it decodes the attributes

c) patch the hostap source to read and use the FreeRADIUS dictionaries.

  But the better question is if you already have access to the FreeRADIUS side, why do you need to see the VSAs on the client side?

  Alan DeKok.

More information about the Hostap mailing list