Can I run eapol_test in interactive mode for PEAP testing?

Arne Bier arnebier at gmail.com
Tue Apr 25 21:48:28 PDT 2017


Hi

I just recently discovered wpa_supplicant and I am a big fan - my use
case was to find a mechanism to test radius servers without using any
real networking infrastructure - hence, I gravitated to eapol_test

It's working really well except for one use case:  when testing
eap-peap authentications I am unable to go into interactive mode to
simulate a user typing in a wrong credential (which causes the
authenticating server to issue an EAP Challenge response).  eapol_test
doesn't handle this challenge and then the EAP conversation times out.
It would be useful to test the case where a user provides the
incorrect credentials, and have the authenticating server exhaust his
attempts and return an Access-Reject (for example).

Currently with one (wrong) credential eapol_test fails as follows

EAP-MSCHAPV2: error 691
EAP-MSCHAPV2: retry is allowed
EAP-MSCHAPV2: failure challenge - hexdump(len=16): 75 0f 88 f7 73 1a
31 57 f9 48 6a 75 65 87 a3 1b
EAP-MSCHAPV2: password changing protocol version 3
EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)
EAPOL: EAP parameter needed
EAPOL: EAP parameter needed
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen --> 0
EAPOL test timed out
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

But my radius server never receives an Access-Reject, since the EAP
conversation got abandoned.

I have tried to see whether I could use wpa_cli, but it seems that it
relies on wpa_supplicant, and hence, a real wireless adapter.

How tricky/easy would it be to add an interactive mode to eapol_test?
Or failing that, the ability to specify multiple credentials that one
could enter into the .conf file

network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="bob"
        anonymous_identity="anonymous"
        password="mysupersecretpassword"
        phase2="autheap=MSCHAPV2"
#
#  Would this work, to get eapol_test to engage in EAP Challenge?
#       password2="myotherpassword"
#       password3="lasttry"

thanks and regards
Arne



More information about the Hostap mailing list