AVP EAP-KEY name support in FR
Jouni Malinen
jkmalinen at gmail.com
Sun May 11 12:00:57 CEST 2014
On Thu, Feb 14, 2013 at 4:18 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Phil Mayers wrote:
>> Does anyone know if there's known-good test data we can compare against,
>> or a client/application that validates it? Does eapol_test
>> implement/check it?
>
> It doesn't seem to.
>
> If someone has a packet trace from ACS, that should be enough.
I'm about to add this to eapol_test:
http://w1.fi/cgit/hostap/commit/?h=pending&id=b1e268afbc36c6605ec74e13b1ee9883fa469b8a
('eapol_test: Check EAP-Key-Name'). However, while implementing that,
I could not find where the format used by FreeRADIUS for EAP-Key-Name
("0x<hexstring>") is defined.
RFC 4072 defined EAP-Key-Name AVP as an OctetString and allocated a
RADIUS attribute type 102 for it. RFC 5247 has a pointer to that with
an indication that it can be used with RADIUS.
draft-ietf-radext-ieee802ext-12 calls this a "string" field (with RFC
2865 meaning of string being binary data). As such, I would have
expected to receive binary data, not a text string that has "0x"
prefix followed by a hexstring encoding of that binary data. Where
does this hex format come from? ACS?
Please also note that draft-ietf-radext-ieee802ext-12 adds this: "In
addition, the RADIUS server SHOULD include this Attribute in an
Access-Accept or CoA-Request only if an EAP-Key-Name Attribute was
present in the Access-Request." which does not match the current
FreeRADIUS behavior.
- Jouni
More information about the Freeradius-Users
mailing list