Is eapol_test still the preferred way to test the various EAP methods ? Or is there a better tool for validating the FreeRADIUS configuration that can be semi-automated ?
On Feb 21, 2025, at 10:52 AM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
Is eapol_test still the preferred way to test the various EAP methods ? Or is there a better tool for validating the FreeRADIUS configuration that can be semi-automated ?
eapol_test is the best thing to use. Sample configurations are in src/tests/eap*.conf Alan DeKok.
I must be cursed - test install with the default site on a RHEL8 host, FreeRADIUS 3.2.7 built from source, running eapol_test locally on the server: (0) Received Access-Request Id 0 from 127.0.0.1:58220 to 127.0.0.1:1812 length 134 Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client localhost) Using eapol_test -c test.conf -a 127.0.0.1 -stesting123 Reading configuration file 'test.conf' Line: 1 - start of a new network block key_mgmt: 0x1 identity - hexdump_ascii(len=10): 6d 79 75 73 65 72 6e 61 6d 65 myusername proto: 0x2 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ca_cert - hexdump_ascii(len=32): 2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 63 65 72 /etc/pki/tls/cer 74 73 2f 63 61 2d 62 75 6e 64 6c 65 2e 63 72 74 ts/ca-bundle.crt client_cert - hexdump_ascii(len=29): 2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 63 65 72 /etc/pki/tls/cer 74 73 2f 73 65 72 76 65 72 2e 70 65 6d ts/server.pem private_key - hexdump_ascii(len=31): 2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 70 72 69 /etc/pki/tls/pri 76 61 74 65 2f 73 65 72 76 65 72 2e 6b 65 79 vate/server.key private_key_passwd - hexdump_ascii(len=5): 38 30 32 31 78 8021x Priority group 0 id=0 ssid='' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:54371 ENGINE: Loading builtin engines ENGINE: Loading builtin engines EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=48 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: Status notification: started (param=) EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=10): 6d 79 75 73 65 72 6e 61 6d 65 myusername EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=15) TX EAP -> RADIUS - hexdump(len=15): 02 30 00 0f 01 6d 79 75 73 65 72 6e 61 6d 65 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=10): 6d 79 75 73 65 72 6e 61 6d 65 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=134 Attribute 80 (Message-Authenticator) length=18 Value: 00000000000000000000000000000000 Attribute 1 (User-Name) length=12 Value: 'myusername' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=17 Value: 0230000f016d79757365726e616d65 RADIUS: Send 134 bytes to the server Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 STA 02:00:00:00:00:01: Resending RADIUS message (id=0) RADIUS: Send 134 bytes to the server Next RADIUS client retransmit in 6 seconds STA 02:00:00:00:00:01: Resending RADIUS message (id=0) RADIUS: Send 134 bytes to the server Next RADIUS client retransmit in 12 seconds STA 02:00:00:00:00:01: Resending RADIUS message (id=0) RADIUS: Send 134 bytes to the server Next RADIUS client retransmit in 24 seconds EAPOL test timed out EAPOL: EAP key not available EAPOL: EAP Session-Id not available WPA: Clear old PMK and PTK MPPE keys OK: 0 mismatch: 1 FAILURE This doesn't appear to be a FreeRADIUS issue as the shared secret works just fine with radclient: # echo "User-Name = somebody,User-Password = dontcare" | radclient -x -s 127.0.0.1 auth testing123 Sent Access-Request Id 47 from 0.0.0.0:41624 to 127.0.0.1:1812 length 66 Message-Authenticator = 0x User-Name = "somebody" User-Password = "dontcare" Cleartext-Password = "dontcare" Received Access-Reject Id 47 from 127.0.0.1:1812 to 127.0.0.1:41624 length 38 Message-Authenticator = 0x10406f6c14a47ecf14b56f738188a885 (0) -: Expected Access-Accept got Access-Reject Packet summary: Accepted : 0 Rejected : 1 Lost : 0 Passed filter : 0 Failed filter : 1 Tried with the eapol_client distributed with RHEL8 as well as once built from the latest sources. On Fri, Feb 21, 2025 at 11:06 AM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2025, at 10:52 AM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
Is eapol_test still the preferred way to test the various EAP methods ? Or is there a better tool for validating the FreeRADIUS configuration that can be semi-automated ?
eapol_test is the best thing to use.
Sample configurations are in src/tests/eap*.conf
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 21, 2025, at 12:33 PM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I must be cursed - test install with the default site on a RHEL8 host, FreeRADIUS 3.2.7 built from source, running eapol_test locally on the server:
(0) Received Access-Request Id 0 from 127.0.0.1:58220 to 127.0.0.1:1812 length 134 Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client localhost)
Then the shared secret is wrong. eapol_test works for me in my testing. And the FreeRADIUS build system runs it multiple ties a day. Alan DeKok.
I'd agree but the same shared secret works for radclient - they are both using testing123 with the default localhost client setup. On Fri, Feb 21, 2025 at 2:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2025, at 12:33 PM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I must be cursed - test install with the default site on a RHEL8 host, FreeRADIUS 3.2.7 built from source, running eapol_test locally on the server:
(0) Received Access-Request Id 0 from 127.0.0.1:58220 to 127.0.0.1:1812 length 134 Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client localhost)
Then the shared secret is wrong. eapol_test works for me in my testing. And the FreeRADIUS build system runs it multiple ties a day.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And the answer yet again is FIPS. - I spun up a new RHEL8 image from the RedHat AMI in AWS - Installed the FreeRADIUS 3.2.7 RPMs and the distro version of the wpa_supplicant - Tested, worked as expected with the default configuration - Run /bin/fips-mode-setup --enable and reboot when ready - Test again, I get the "invalid Message-Authenticator" nonsense when testing with the exact same configuration. Again, I think the problem is in wpa_authenticator/eapol_test since I've got EAP-TLS working with FIPs mode and RHEL8 elsewhere, but thought I'd reply as informational to the list. On Fri, Feb 21, 2025 at 2:30 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I'd agree but the same shared secret works for radclient - they are both using testing123 with the default localhost client setup.
On Fri, Feb 21, 2025 at 2:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Feb 21, 2025, at 12:33 PM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
I must be cursed - test install with the default site on a RHEL8 host, FreeRADIUS 3.2.7 built from source, running eapol_test locally on the server:
(0) Received Access-Request Id 0 from 127.0.0.1:58220 to 127.0.0.1:1812 length 134 Dropping packet without response because of error: Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) (from client localhost)
Then the shared secret is wrong. eapol_test works for me in my testing. And the FreeRADIUS build system runs it multiple ties a day.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 24, 2025, at 1:36 PM, BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
And the answer yet again is FIPS.
The gift that keeps on giving...
- I spun up a new RHEL8 image from the RedHat AMI in AWS - Installed the FreeRADIUS 3.2.7 RPMs and the distro version of the wpa_supplicant - Tested, worked as expected with the default configuration - Run /bin/fips-mode-setup --enable and reboot when ready - Test again, I get the "invalid Message-Authenticator" nonsense when testing with the exact same configuration.
Again, I think the problem is in wpa_authenticator/eapol_test since I've got EAP-TLS working with FIPs mode and RHEL8 elsewhere, but thought I'd reply as informational to the list.
Yes. wpa_supplicant and hostap don't disable FIPS mode when RADIUS is used. I'll see what I can do. Alan DeKok.
participants (2)
-
Alan DeKok -
BuzzSaw Code