Identity problem and MSK, EMSK management
aland at deployingradius.com
Sun Oct 22 23:30:42 CEST 2006
kky <mingyur at inventati.org> wrote:
> 1) i'm developing and auth module for eap where the real identity of the
> user is passed in the 3rd message ( in eap response identity there is a
> fictitious string "anonymous" ) so i had to add an if( .. ) statement in
> eap_start() that says something like that : if memcmp(request->username,
> "anonymous" ...) && eap type is the one i'm developing set attribute
> User-Name in request->username and in request->packet->vps to the real
> identity (found in the packet receved).
Why is that necessary? Other EAP types use "anonymous" as the outer
identity, and don't have to do this.
> And all goes well : rlm_sql finds the user in the db and gets all the
> attributes from radreply table , so i can access them from
> handler->request->reply->vps. The protocol continues but when a new
> response comes from the supplicant the NAS, i suppose, sets the
> attribute User-Name to "anonymous", is there a way to tell the NAS to
> change the value of User-Name to the correct one ?!
No. The NAS uses the name from the EAP identity message.
> the problem is that next messages will not get anymore the right user
> because the section above will set the User-Name to something without
> sense ... suggestions ?
Don't play games with the User-Name. Your EAP type will have to
work with all known NASes, so doing crazy things to
request->packet->vps is pointless. Rather than fighting the NAS (you
can't win), implement your EAP type to inter-operate with the NAS as
it works today.
> 2) the protocol derives also MSK and EMSK
Huh? English, please.
> i have seen that eap_sim_sendsuccess(EAP_HANDLER *handler)
> sets 2 proprietary valuepairs in handler->request->reply->vps
> (MS-MPPE-Recv-Key , MS-MPPE-Send-Key)... should i do something like this
> ? with which attribute should i tell the NAS for the keys ?
It's the same problem as above. The NAS expects to get keys in
particular attributes, so your EAP type will have to supply keys in
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Devel