On Sat, Mar 19, 2016 at 12:10:17AM +0000, Arran Cudbard-Bell wrote:
On 18 Mar 2016, at 23:22, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Close. Think I may have found it. Have found the differences, anyway.
What's your supplicant, just we can make sure we're using roughly the same methodology.
Mine is Windows 10 with PEAP outer EAP-TLS inner.
Unfortunately I'm working blind; I've not got a broken machine with Windows. Hence a lot of hypotheses and not too many concrete answers. :( I've been running eapol_test and comparing the differences in the replies between the two versions. The original report was (an unspecified version of) Windows doing PEAP/MSCHAPv2.
First confusing thing is the FreeRADIUS is only printing out the first EAP-Message attribute in the debug output, hence the lengths
Fixed the debug. Still used a stack buffer of 256 bytes.
Cool, thanks :)
My hypothesis would be a supplicant bug that sees the Length flag set so erroneously expects more packets, but that should not be the case because M was not set. It certainly works fine in eapol_test both pre- and post-8a7f6e330f, so it seems down to the way the particular supplicant processes the reply.
No, something weirder. Even when fragmentation is required it hangs.
That is very odd. I wonder if it's a combination of things - something broken before that patch as well as the length being included. In which case taking say v3.0 and artificially _adding_ the L flag and length might be useful - if that works then there must also be other differences. Inverse of my unlang hack. Cough, splutter.
and other packets are sent like this back to the supplicant, hence guessing this change in behaviour is just hitting one particular Windows supplicant in the wrong places.
Yes. Have you got PEAP + TLS to run to completion before the patch? I suspect PEAP with MSCHAPv2 will, but PEAP with TLS (that still requires fragmentation), won't.
The only Windows machine I've got here at the moment is a VM, and I haven't been able to work the hostapd-foo correctly yet to get it to do wired 802.1X over a virtual network port. So I can't currently test it :( I have got a live server at the moment with Windows 7 clients doing PEAP/EAP-TLS, so I know that works, but it's before 8a7f6e330f. So it probably doesn't help much. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>