EAP-TEAP Compound MAC calculation

[Suriya Shankar]

Hi Alan,

Thank you. I am able to bring up the eap_teap module from 3.2.x and the
client is happy until the first inner TLS. Intermediate Result Success is
being shared with each other.

But with the vp = fr_pair_find_by_num(request->state,
> PW_EAP_TEAP_TLV_IDENTITY, VENDORPEC_FREERADIUS, TAG_ANY);


is being returned null and before the second certificate exchange, server
is sending success and so client rejects the authentication saying
Unexpected TLV.
Where do we set the request->state with the Attr pair to avoid this?

For the same reason EAP_TEAP_TLV_IDENTITY is not being sent even for the
first Inner tunnel authentication. As per the documentation the TLV is the
hint for the client and I believe it may not essential for the connection
to establish.

Is 3.2.x the right version for eap_teap?

Thanks,
Suriya

On Wed, Aug 16, 2023 at 3:27 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 16, 2023, at 4:01 PM, Suriya Shankar <suriya.dshankar at gmail.com>
> wrote:
> > I am trying to calculate the Compound MAC for EAP-TEAP. But the
> description
> > in the rfc 7170 is bit confusing
>
>   Very much so.
>
>   The short answer is that this list is about FreeRADIUS.  If you're
> implementing an EAP type for another piece of software, there are likely
> other places to go.
>
>   The FreeRADIUS source code for the compound MAC calculation is in
> src/modules/rlm_eap/types/rlm_eap_teap.
>
> > Could any please help me in understanding the Compound MAC calculation or
> > guide me in the right direction
>
>   Don't read RFC 7170.  It's confusing, and substantially wrong.
>
>   Read the updated document, which is soon to be published:
> https://datatracker.ietf.org/doc/draft-ietf-emu-rfc7170bis/11/
>
>   It's not only clearer, but it's what Microsoft / FreeRADIUS / Cisco /
> hostap / etc. have all done.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>