eapol_test not displaying VSAs with EAP-PEAP-MSCHAPv2

Jude George jude.george at broadcom.com
Fri Dec 15 09:26:35 PST 2023

Thank you for the explanation about MS-MPPE-Recv-Key and
MS-MPPE-Send-Key being the two VSAs that I am seeing in the eapol_test
output. As they are encrypted, that explains why they are different
every time.

Unfortunately my other VSA doesn't show up at all, when using
EAP-PEAP-MSCHAPv2. It's not a matter of decoding the hex or reading
the dictionary, the problem is that the VSA simply is not there in the
eapol_test output. When I use EAP-TTLS-PAP or EAP-MSCHAPv2, the VSA
does show up in the eapol_test output and is easy to decode in hex.

My eapol_test output is being fed into another program for testing.
That is why wireshark would not be a good solution here, I need the
output to come out of the eapol_test client.

You had mentioned "a) read the VSAs as raw hex on hostap". Could you
please explain a little further how this would be done using hostap?
Thank you.

Jude George

On Fri, Dec 15, 2023 at 5:41 AM Alan DeKok <aland at deployingradius.com> wrote:
> On Dec 14, 2023, at 8:00 PM, Jude George <jude.george at broadcom.com> wrote:
> > The RADIUS server (FreeRADIUS) authenticates the client, and I can see
> > from the server output that it is sending a vendor-specific-attribute
> > (VSA) for this user. However, the eapol_test output does not show this
> > VSA. Ironically, it does show two other VSAs, regardless of whether I
> > configure a VSA for this user on the server.
>   The two VSAs are MS-MPPE-Recv-Key, and MS-MPPE-Send-Key.  They're part of the EAP standards.  Almost all EAP methods will result in these attributes being sent in an Access-Accept.
>   The attributes depend on various cryptographic calculations, so they will be different on every authentication attempt.
> > How can I get my true VSA to show up in eapol_test's output when I use
>   Use wireshark.
>   FreeRADIUS ships with over 100 dictionaries, with nearly 10,000 VSAs.  hostap / eapol_test doesn't include those dictionaries, and therefore doesn't do any VSA decoding.  So it just prints them as hex.
>   The choices here are:
> a) read the VSAs as raw hex on hostap
> b) use wireshark to look at the packet trace.  wireshark includes the FreeRADIUS dictionaries, so it decodes the attributes
> c) patch the hostap source to read and use the FreeRADIUS dictionaries.
>   But the better question is if you already have access to the FreeRADIUS side, why do you need to see the VSAs on the client side?
>   Alan DeKok.

This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4206 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20231215/7cde8635/attachment.p7s>

More information about the Hostap mailing list