EAP-TLV

Stefan Winter stefan.winter at restena.lu
Fri Dec 15 09:03:35 CET 2017


Hi,

> Not had a problem myself with TLV set... So let's look at what that does
> and examine your data path. Is your NAS terminating the EAP and then
> proxying it to your FR? If there another system in the way? You have
> something quirky in your config, double auth-type being set, so send me
> your virtual server configs. There will be some obvious thing there.

It's certainly worth looking at that bit.

The TLV checks are AFAIR Microsoft's way of saying "enable channel
binding" (if only they'd write that so bluntly).

So, if EAP stops working when channel binding is enforced, then
something would appear to be wrong with the outer EAP vs inner MSCHAPv2
binding.

When I looked at your debug output before, I dismissed this possibility
because FreeRADIUS clearly gets an entire PEAP session, outer TLS and
inner MSCHAPv2.

But there is of course the possibility that the NAS terminates EAP and
then re-encapsulates it in a whole new PEAP session. Or a proxy doing
the same.

You would be able to verify this by inspecting the server certificate
you get on the client: is this the exact same certificate, issued by the
same CA, that your FreeRADIUS server serves?

Greetings,

Stefan Winter

> 
> alan
> 
> On 14 Dec 2017 1:39 pm, "Alan DeKok" <aland at deployingradius.com> wrote:
> 
>> On Dec 14, 2017, at 2:53 AM, Vieri via Freeradius-Users <
>> freeradius-users at lists.freeradius.org> wrote:
>>>
>>> I checked the logs on the client (Microsoft-Windows-Wired-AutoConfig),
>> and here's all I can get:
>>
>>   That's Microsoft for you.
>>
>>> Doesn't ReasonText imply that the Radius server is actually sending back
>> an EAP error?
>>
>>   Sure.  It's lying.
>>
>>   If FreeRADIUS sends an error, you would see the error in the debug
>> output.  FreeRADIUS doesn't lie to you.
>>
>>> Correct me if I'm wrong, but it seems to me that both the client and the
>> server are blaming each other.
>>
>>   You have all of the source code to FreeRADIUS, and can double-check it's
>> operation.  All of the EAP standards are publicly available, and you can
>> check out EAP works.  As the main FreeRADIUS developer, I'm telling you
>> what's going on.
>>
>>   In contrast, Microsoft gives you no source, no debug, and no access to
>> developers.
>>
>>   Don't say that both client and server are blaming each other.  That
>> implies that *I'm* lying to you when I tell you what's going on.  It
>> implies that FreeRADIUS is lying to you, too.
>>
>>   You're making these statements here because you can't make them to
>> Microsoft.  Well, that's not my problem.  Go ask Microsoft how their crappy
>> software works, and how to fix it.
>>
>>   I'm trying to help you, and you don't believe me.  You're free to go
>> elsewhere.
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171215/b00b28d2/attachment.sig>


More information about the Freeradius-Users mailing list