Identity problem and MSK, EMSK management
Hi ! i have 2 main problem, i've tried to find the solutions mostly in rfc's and googleing around but without results !! i hope the questions are not to stupid ... ; ) 1) i'm developing and auth module for eap where the real identity of the user is passed in the 3rd message ( in eap response identity there is a fictitious string "anonymous" ) so i had to add an if( .. ) statement in eap_start() that says something like that : if memcmp(request->username, "anonymous" ...) && eap type is the one i'm developing set attribute User-Name in request->username and in request->packet->vps to the real identity (found in the packet receved). And all goes well : rlm_sql finds the user in the db and gets all the attributes from radreply table , so i can access them from handler->request->reply->vps. The protocol continues but when a new response comes from the supplicant the NAS, i suppose, sets the attribute User-Name to "anonymous", is there a way to tell the NAS to change the value of User-Name to the correct one ?! the problem is that next messages will not get anymore the right user because the section above will set the User-Name to something without sense ... suggestions ? 2) the protocol derives also MSK and EMSK but i don't know where to put them ! i have seen that eap_sim_sendsuccess(EAP_HANDLER *handler) sets 2 proprietary valuepairs in handler->request->reply->vps (MS-MPPE-Recv-Key , MS-MPPE-Send-Key)... should i do something like this ? with which attribute should i tell the NAS for the keys ? Thank you ! kky
kky <mingyur@inventati.org> wrote:
1) i'm developing and auth module for eap where the real identity of the user is passed in the 3rd message ( in eap response identity there is a fictitious string "anonymous" ) so i had to add an if( .. ) statement in eap_start() that says something like that : if memcmp(request->username, "anonymous" ...) && eap type is the one i'm developing set attribute User-Name in request->username and in request->packet->vps to the real identity (found in the packet receved).
Why is that necessary? Other EAP types use "anonymous" as the outer identity, and don't have to do this.
And all goes well : rlm_sql finds the user in the db and gets all the attributes from radreply table , so i can access them from handler->request->reply->vps. The protocol continues but when a new response comes from the supplicant the NAS, i suppose, sets the attribute User-Name to "anonymous", is there a way to tell the NAS to change the value of User-Name to the correct one ?!
No. The NAS uses the name from the EAP identity message.
the problem is that next messages will not get anymore the right user because the section above will set the User-Name to something without sense ... suggestions ?
Don't play games with the User-Name. Your EAP type will have to work with all known NASes, so doing crazy things to request->packet->vps is pointless. Rather than fighting the NAS (you can't win), implement your EAP type to inter-operate with the NAS as it works today.
2) the protocol derives also MSK and EMSK
Huh? English, please.
i have seen that eap_sim_sendsuccess(EAP_HANDLER *handler) sets 2 proprietary valuepairs in handler->request->reply->vps (MS-MPPE-Recv-Key , MS-MPPE-Send-Key)... should i do something like this ? with which attribute should i tell the NAS for the keys ?
It's the same problem as above. The NAS expects to get keys in particular attributes, so your EAP type will have to supply keys in those attributes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan DeKok -
kky