[FR 3.0.22] Locally derived EAP Session-Id does not match EAP-Key-Name from server

Sergio NNX sfhacker at hotmail.com
Tue Jun 16 14:39:19 CEST 2020 

Ciao.

We have recently upgraded from 3.0.18 to 3.0.22.

We are running some EAP tests, in particular EAP-TLS using eapol_test.

eapol_test tool complains with this message:

      'Locally derived EAP Session-Id does not match EAP-Key-Name from server'

Any pointers would be greatly appreciated.

Thanks in advance.

eapol_test output:

<snip>
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 1b 94 19 e6 28 08 ba ac 15 aa f9 2e 3e 42 1e db 25 92 c4 4e 62 76 cc 35 9c 5d 2e 01 68 c9 91 46
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16
decapsulated EAP packet (code=3 id=11 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 7c 5f bb 17 fe 55 f6 b5 20 45 ab c1 2a 7c 54 98 01 3d 70 6d e0 0e de d1 1b e8 2a 37 7c 36 86 28
WARNING: PMK mismatch
PMK from AS - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16
Locally derived EAP Session-Id does not match EAP-Key-Name from server
EAP Session-Id - hexdump(len=65): 0d 3b 1b 80 ac 99 3e 8b 9e 47 12 b6 59 86 77 9f 08 c7 f4 15 fe 26 a4 74 42 f4 af 73 14 85 da 3d 20 67 c8 37 57 14 41 e0 49 63 a3 0a a4 4d 3a 45 a0 f3 73 00 68 12 bb ff 79 d5 d1 24 bb 88 fd 22 1b
EAP-Key-Name from server - hexdump(len=65): 0d dd 98 63 f2 b3 7e 6e 7e 07 38 7f 72 10 e6 2e d9 73 85 f4 8c 4b 06 02 ae 4f b4 ae 7a 7e a7 ef c4 fb 9c ec c7 42 38 e9 86 96 34 f6 36 5e 2e c9 75 b1 05 98 1b 5c 01 8c a6 6e 85 a9 97 13 14 7a 42
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


FR debug output:

<snip>
(9) eap_tls: <<< recv TLS 1.3  [length 0001]
(9) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(9) eap_tls: <<< recv TLS 1.3  [length 0108]
(9) eap_tls: <<< recv TLS 1.3  [length 0001]
(9) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(9) eap_tls: <<< recv TLS 1.3  [length 0034]
(9) eap_tls: TLS_accept: SSLv3/TLS read finished
(9) eap_tls: (other): SSL negotiation finished successfully
(9) eap_tls: TLS - Connection Established
(9) eap_tls: TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384"
(9) eap_tls: TLS-Session-Version = "TLS 1.3"
(9) eap_tls: TLS - Application data.
(9) eap_tls: WARNING: No information in cached session
(9) eap_tls: [eaptls process] = success
(9) eap: Sending EAP Success (code 3) ID 11 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file \freeradius-3.0.22\etc\raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'TLS_AES_256_GCM_SHA384'
(9)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.3'
(9)     } # update = noop
(9)     [exec] = noop
(9)     if (&reply:EAP-Session-Id) {
(9)     if (&reply:EAP-Session-Id)  -> TRUE
(9)     if (&reply:EAP-Session-Id)  {
(9)       update reply {
(9)         EAP-Key-Name := &reply:EAP-Session-Id -> 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42
(9)       } # update reply = noop
(9)     } # if (&reply:EAP-Session-Id)  = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop
(9) Sent Access-Accept Id 9 from 0.0.0.0:1812 to 127.0.0.1:55914 length 0
(9)   MS-MPPE-Recv-Key = 0x2eb88c3d96bb6966ab437006556b4413899c6a321e721b8419cd5ef3604e9a16
(9)   MS-MPPE-Send-Key = 0x1b9419e62808baac15aaf92e3e421edb2592c44e6276cc359c5d2e0168c99146
(9)   EAP-Message = 0x030b0004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "mgw"
(9)   EAP-Key-Name := 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42
(9) Finished request
Ready to process requests

More information about the Freeradius-Users mailing list