Modifying EAP Messages
Hi everybody, We are trying to develop a module to make possible to add extra information to EAP Messages. We are employing rlm_perlo module. Up to now, we have been able to add new EAP-Message attributes to the RADIUS response packets but we cannot figure out how to modify the current EAP-Message already addedd. It is assumed (from RFC 3579) that multiple EAP Message attributes will be concatenated to form a single EAP Packet but the thing is that we do not receive the added information in our supplicant. Two questions arise: 1) Is it possible to modify EAP-Message attributes from perl modules? 2) If not, should we go through a per EAP-athentication method C source code modification? Thanks in advance, -- Enrique de la Hoz de la Hoz
Enrique de la Hoz wrote:
We are trying to develop a module to make possible to add extra information to EAP Messages.
Huh? Why would you ever do that? The EAP protocol is well defined. Adding "extra" information to it is like adding "extra" data to IP packets. It will be ignored... at best.
We are employing rlm_perlo module. Up to now, we have been able to add new EAP-Message attributes to the RADIUS response packets but we cannot figure out how to modify the current EAP-Message already addedd. It is assumed (from RFC 3579) that multiple EAP Message attributes will be concatenated to form a single EAP Packet but the thing is that we do not receive the added information in our supplicant.
Two questions arise: 1) Is it possible to modify EAP-Message attributes from perl modules? 2) If not, should we go through a per EAP-athentication method C source code modification?
What are you trying to do, and why? Alan DeKok.
Well, it is not adding new fields but putting some data in the data fields of those messages that allow to do that, e.g., put a certain value in the EAP Type Data field: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Type-Data ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- We are trying to build a PoC of an architecture that implies sending back some extra authorization info to the supplicant. Our first idea was included server response in the form of an AVP but we do not get the message tunneled to the client(supplicant) back (we are currently using EAP-TTLS), that is the reason why we thought of modifying EAP responses, to convey that certain info that we are not able to deliver to the supplicant back. I know that it is not a clean way of doing that but it is something like our last attempt. BTW, Why are not AVP tunnelled back to supplicant and do not go inside TTLS session? Regards, 2009/3/16 Alan DeKok <aland@deployingradius.com>
Enrique de la Hoz wrote:
We are trying to develop a module to make possible to add extra information to EAP Messages.
Huh? Why would you ever do that?
The EAP protocol is well defined. Adding "extra" information to it is like adding "extra" data to IP packets. It will be ignored... at best.
We are employing rlm_perlo module. Up to now, we have been able to add new EAP-Message attributes to the RADIUS response packets but we cannot figure out how to modify the current EAP-Message already addedd. It is assumed (from RFC 3579) that multiple EAP Message attributes will be concatenated to form a single EAP Packet but the thing is that we do not receive the added information in our supplicant.
Two questions arise: 1) Is it possible to modify EAP-Message attributes from perl modules? 2) If not, should we go through a per EAP-athentication method C source code modification?
What are you trying to do, and why?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Enrique de la Hoz de la Hoz
Enrique de la Hoz wrote:
Well, it is not adding new fields but putting some data in the data fields of those messages that allow to do that, e.g., put a certain value in the EAP Type Data field:
This is known as "writing a new EAP method". See rlm_eap/types/rlm_eap_*/ for example code that implements most common EAP methods.
We are trying to build a PoC of an architecture that implies sending back some extra authorization info to the supplicant.
Perhaps you didn't read my previous message... sending "extra information" is something that can't really be done. The protocols have specifications that describe how they work. Any "extra information" doesn't fit into those specifications.
Our first idea was included server response in the form of an AVP but we do not get the message tunneled to the client(supplicant) back (we are currently using EAP-TTLS),
TTLS can encapsulate almost anything in the inner-tunnel session. If your data didn't get sent back, it's because you didn't do the right things.
that is the reason why we thought of modifying EAP responses, to convey that certain info that we are not able to deliver to the supplicant back. I know that it is not a clean way of doing that but it is something like our last attempt.
It won't work.
BTW, Why are not AVP tunnelled back to supplicant and do not go inside TTLS session?
I have no idea. You haven't given any information about what you tried to do, or what happened. In short, modifying EAP-Messages, or the EAP protocol won't work. Adding more data inside of a TTLS tunnel is possible. But it likely requires an understanding of the specifications and the FreeRADIUS source code before making any changes. Alan DeKok.
Thank you very much Alan for your quick response.I do understand everything you say and see that no new EAP method can be added just by a perl module. Apologize for the inconveniences,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Enrique de la Hoz wrote:
Thank you very much Alan for your quick response.I do understand everything you say and see that no new EAP method can be added just by a perl module. Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner tunnel ? Isn't that how Microsoft do their NAC stuff ?
I was pondering over this the other day, thinking how hard it would be to decode the TLVs included by the windows default supplicant, and expose them as standard attributes...
Apologize for the inconveniences,
----------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm+vpYACgkQcaklux5oVKKFxQCfcFDguM3TikzBUVAy0QyGLqK7 FnwAn3wdgkqCWYq4DqtMWF0vhrFStEFs =peG9 -----END PGP SIGNATURE-----
Arran Cudbard-Bell wrote:
Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner tunnel ? Isn't that how Microsoft do their NAC stuff ?
Sort of.
I was pondering over this the other day, thinking how hard it would be to decode the TLVs included by the windows default supplicant, and expose them as standard attributes...
I have code somewhere from someone claiming to do this. It's for a *very* old version of the server, and it's not that good code. We'll see how it goes. Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner tunnel ? Isn't that how Microsoft do their NAC stuff ?
Sort of.
A magical check box appeared in the XP SP3 and Vista supplicant 'Enable Quarantine Checks'. It'd be a huge win if FR could expose these values so that they were usable for policy decisions. I know it's all icky icky Microsoft, but until a giant Apple appears over Redmond...
I was pondering over this the other day, thinking how hard it would be to decode the TLVs included by the windows default supplicant, and expose them as standard attributes...
I have code somewhere from someone claiming to do this. It's for a *very* old version of the server, and it's not that good code.
We'll see how it goes. Hmm, could you sling it over my way as well. I'm interested to see what constitutes bad code in C.
Thanks, Arran -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm+ywIACgkQcaklux5oVKIflQCcC+VH2W2T9iCp7PHcV7bQOz1b MEcAn10mk/7cGyVvVztsJHBJoue5TeQd =Aelt -----END PGP SIGNATURE-----
Arran Cudbard-Bell wrote:
Alan DeKok wrote: A magical check box appeared in the XP SP3 and Vista supplicant 'Enable Quarantine Checks'. It'd be a huge win if FR could expose these values so that they were usable for policy decisions.
Yup.
Hmm, could you sling it over my way as well. I'm interested to see what constitutes bad code in C.
OK. There are *lots* of examples of bad C code... too many, in fact. Alan DeKok.
On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote:
A magical check box appeared in the XP SP3 and Vista supplicant 'Enable Quarantine Checks'. It'd be a huge win if FR could expose these values so that they were usable for policy decisions.
This requires bit more than just minor changes in parsing additional data and making it available. The PEAP server will need to ask the PEAP peer to start SoH to get the extra data. This needs at least minimal functionality to support sequence of EAP methods inside the PEAP tunnel, but with that done, you should be able to process the SoH TLVs in FreeRADIUS. There is specification available for all the needed functionality and you should be able to find example code on how to do this in hostapd (it has experimental support for SoH and it dumps the TLVs received from the client in debug info if you want to run a quick test to see what data is available). - Jouni
On 17/3/09 16:26, Jouni Malinen wrote:
On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote:
A magical check box appeared in the XP SP3 and Vista supplicant 'Enable Quarantine Checks'. It'd be a huge win if FR could expose these values so that they were usable for policy decisions.
This requires bit more than just minor changes in parsing additional data and making it available. The PEAP server will need to ask the PEAP peer to start SoH to get the extra data.
Yes I just found the appropriate article on MSDN. So 'Enable Quarantine Checks' just means that the supplicant is willing to participate in SoH, not that it will, unless explicitly requested to by the server.
This needs at least minimal functionality to support sequence of EAP methods inside the PEAP tunnel, but with that done, you should be able to process the SoH TLVs in FreeRADIUS.
There is specification available for all the needed functionality and you should be able to find example code on how to do this in hostapd
Very interesting. Which version/ git branch is this available in ?
(it has experimental support for SoH and it dumps the TLVs received from the client in debug info if you want to run a quick test to see what data is available).
Just found an explanation of the other magical 'Crypto binding' check box. It appears it's used to check that the phase 1 and phase 2 endpoints were actually the same server. Have you done any work this feature ? Many thanks, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
On Tue, Mar 17, 2009 at 7:40 PM, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
On 17/3/09 16:26, Jouni Malinen wrote:
There is specification available for all the needed functionality and you should be able to find example code on how to do this in hostapd
Very interesting. Which version/ git branch is this available in ?
TNC support (including experimental SoH code) was added in 0.6.x, so as far as releases are concerned, 0.6.8 would be the best start (or just use the git development branch if you want to get latest version, but I don't think there has been SoH related changes since 0.6.8).
Just found an explanation of the other magical 'Crypto binding' check box. It appears it's used to check that the phase 1 and phase 2 endpoints were actually the same server. Have you done any work this feature ?
Yes, that is also supported in both hostapd (PEAPv0 server) and wpa_supplicant (PEAPv0 peer) version 0.6.8. That needed quite a bit of experimentation and guesses since the specification was not exactly correct (but could now be since I asked it to be fixed). Anyway, the source code in hostapd is known to interoperate with Windows XP SP3 and Vista supplicant, so that is probably a good place to look at if someone wants to add this to FreeRADIUS. - Jouni
Hi. I have a endless proxy looping problem. 1. problem username format: userid@my-realm@other-realm 2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's radiator radius server 3. on my partner then proxy back (nostrip) the same username base on @my-realm to my freeradius 4. so this username userid@my-realm@other-realm is bouncing in between my radius and my partner's radius endlessly 5. both my & partner cannot change the way we proxy, because it will impact on other proxy. Is there has any parameter which i can configure to terminate such proxy traffic? Thank you
piston wrote:
I have a endless proxy looping problem.
You probably haven't had it for long. If it's been looping packets for a long time, you would have noticed.
1. problem username format: userid@my-realm@other-realm 2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's radiator radius server 3. on my partner then proxy back (nostrip) the same username base on @my-realm to my freeradius 4. so this username userid@my-realm@other-realm is bouncing in between my radius and my partner's radius endlessly 5. both my & partner cannot change the way we proxy, because it will impact on other proxy.
Take a step back. You have described a solution, not a problem. Your solution doesn't work, and therefore also doesn't solve the problem. So... what is the problem you are trying to solve? Describe that. Odds are that there is a solution that is *different* from what you described above. And, that solution will likely not have the endless looping problem.
Is there has any parameter which i can configure to terminate such proxy traffic?
Don't configure it so that it loops. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Enrique de la Hoz -
Jouni Malinen -
piston