EAP-TEAP Compound MAC calculation

Suriya Shankar suriya.dshankar at gmail.com
Thu Aug 24 01:04:05 UTC 2023

Hi Alan,

I am able to authenticate both the certificates in the inner tunnel. I have
hard coded to request the client first User and Machine authentication. I
am receiving those certificates as expected , validate those certificates
and server sends the EAP-Success in plain text without encryption for some
reason the client doesn't respond anything and just says *Can't Connect to
this Network*

For reference

*(51) Login OK: [anonymous/<via Auth-Type =
eap_S_94de66e8-556a-4d56-8780-a114620a5c42>] (from client localhost port 0
cli BC-6E-E2-F2-22-CC)*

*(51) Sent Access-Accept Id 36 from <> to <> length 183*

*(51)   MS-MPPE-Recv-Key =

*(51)   MS-MPPE-Send-Key =

*(51)   EAP-Message = 0x03a00004*

*(51)   Message-Authenticator = 0x00000000000000000000000000000000*

*(51)   User-Name = "anonymous"*

*(51)   Framed-MTU = 994*

*(51)   Acct-Interim-Interval = 7200*

*(51) Finished request*

I verified all the communication between client and server which is in the
exact sequence described in Appendix C.6. Sequence of EAP Methods

I checked the Event Viewer from the client and the information is not that
clear. It complains* "A fatal error occured while creating a TLS
credential. The internal error state is 10013."*

Do we have a better way to debug this issue?

Thank you so much for your help


On Mon, Aug 21, 2023 at 5:34 PM Alan DeKok <aland at deployingradius.com>

> On Aug 21, 2023, at 8:14 PM, Suriya Shankar <suriya.dshankar at gmail.com>
> wrote:
> > Thank you. I am able to bring up the eap_teap module from 3.2.x and the
> > client is happy until the first inner TLS. Intermediate Result Success is
> > being shared with each other.
>   That's good.
> > But with the vp = fr_pair_find_by_num(request->state,
> >
> > is being returned null and before the second certificate exchange, server
> > is sending success and so client rejects the authentication saying
> > Unexpected TLV.
>   You have to configure the Identity-Type correctly.  It's all a bit
> magical.
> > Where do we set the request->state with the Attr pair to avoid this?
>   We're working on documentation for TEAP.  For now, it's still largely
> experimental.
> > For the same reason EAP_TEAP_TLV_IDENTITY is not being sent even for the
> > first Inner tunnel authentication. As per the documentation the TLV is
> the
> > hint for the client and I believe it may not essential for the connection
> > to establish.
> >
> > Is 3.2.x the right version for eap_teap?
>   All of the code is public.  If I say TEAP is in v3.2.x, then I'm not
> trying to mislead you.  There is no secret repository of TEAP that you only
> get access to by asking nicely.
>   Since all of the code is public, you can also walk through the way
> rlm_eap_teap works, to see what it's doing.  Then, configure the server the
> way the module expects.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list