Identity problem and MSK, EMSK management

Alan DeKok aland at deployingradius.com
Sun Oct 22 23:30:42 CEST 2006 

kky <mingyur at inventati.org> wrote:
> 1) i'm developing and auth module for eap where the real identity of the
> user is passed  in the 3rd message ( in eap response identity there is a
> fictitious string "anonymous" ) so i had to add an if( .. ) statement in
> eap_start() that says something like that : if memcmp(request->username,
> "anonymous" ...) && eap type  is the one i'm developing set attribute
> User-Name in request->username and in request->packet->vps to the real
> identity (found in the packet receved).

  Why is that necessary?  Other EAP types use "anonymous" as the outer
identity, and don't have to do this.

> And all goes well : rlm_sql finds the user in the db and gets all the
> attributes from radreply table , so i can access them from
> handler->request->reply->vps. The protocol continues but when a new
> response comes from the supplicant the NAS, i suppose, sets the
> attribute User-Name to "anonymous", is there a way to tell the NAS to
> change the value of User-Name to the correct one ?!

  No.  The NAS uses the name from the EAP identity message.

> the problem is that next messages will not get anymore the right user
> because the section above will set the User-Name to something without
> sense ... suggestions ?

  Don't play games with the User-Name.  Your EAP type will have to
work with all known NASes, so doing crazy things to
request->packet->vps is pointless.  Rather than fighting the NAS (you
can't win), implement your EAP type to inter-operate with the NAS as
it works today.

> 2) the protocol derives also MSK and EMSK 

  Huh?  English, please.

>  i have seen that  eap_sim_sendsuccess(EAP_HANDLER *handler) 
> sets 2 proprietary valuepairs in handler->request->reply->vps
> (MS-MPPE-Recv-Key , MS-MPPE-Send-Key)... should i do something like this
> ? with which attribute should i tell the NAS for the keys ?

  It's the same problem as above.  The NAS expects to get keys in
particular attributes, so your EAP type will have to supply keys in
those attributes.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog

More information about the Freeradius-Devel mailing list