Modifying EAP Messages

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Mar 17 18:40:38 CET 2009


On 17/3/09 16:26, Jouni Malinen wrote:
> On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell
> <a.cudbard-bell at sussex.ac.uk>  wrote:
>> A magical check box appeared in the XP SP3 and Vista supplicant
>> 'Enable Quarantine Checks'. It'd be a huge win if FR could expose
>> these values so that they were usable for policy decisions.
>
> This requires bit more than just minor changes in parsing additional
> data and making it available. The PEAP server will need to ask the
> PEAP peer to start SoH to get the extra data.

Yes I just found the appropriate article on MSDN. So 'Enable Quarantine 
Checks' just means that the supplicant is willing to participate in SoH, 
not that it will, unless explicitly requested to by the server.

> This needs at least
> minimal functionality to support sequence of EAP methods inside the
> PEAP tunnel, but with that done, you should be able to process the SoH
> TLVs in FreeRADIUS.
>
> There is specification available for all the needed functionality and
> you should be able to find example code on how to do this in hostapd

Very interesting. Which version/ git branch is this available in ?

> (it has experimental support for SoH and it dumps the TLVs received
> from the client in debug info if you want to run a quick test to see
> what data is available).

Just found an explanation of the other magical 'Crypto binding' check 
box. It appears it's used to check that the phase 1 and phase 2 
endpoints were actually the same server. Have you done any work this 
feature ?

Many thanks,
Arran

-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list