EAP-TEAP Compound MAC calculation

Suriya Shankar suriya.dshankar at gmail.com
Thu Aug 24 01:04:05 UTC 2023 

Hi Alan,

I am able to authenticate both the certificates in the inner tunnel. I have
hard coded to request the client first User and Machine authentication. I
am receiving those certificates as expected , validate those certificates
and server sends the EAP-Success in plain text without encryption for some
reason the client doesn't respond anything and just says *Can't Connect to
this Network*

For reference

*(51) Login OK: [anonymous/<via Auth-Type =
eap_S_94de66e8-556a-4d56-8780-a114620a5c42>] (from client localhost port 0
cli BC-6E-E2-F2-22-CC)*

*(51) Sent Access-Accept Id 36 from 0.0.0.0:3000 <http://0.0.0.0:3000> to
100.96.1.28:35488 <http://100.96.1.28:35488> length 183*

*(51)   MS-MPPE-Recv-Key =
0x456ec819f468acc0c54be0be0b7e5fe301a6842101f2ade041e2da5643acbc54*

*(51)   MS-MPPE-Send-Key =
0x1a2c3e892943e6955152ce9912c118e070681098a18c9ee4f7e18fbfd52def91*

*(51)   EAP-Message = 0x03a00004*

*(51)   Message-Authenticator = 0x00000000000000000000000000000000*

*(51)   User-Name = "anonymous"*

*(51)   Framed-MTU = 994*

*(51)   Acct-Interim-Interval = 7200*

*(51) Finished request*


I verified all the communication between client and server which is in the
exact sequence described in Appendix C.6. Sequence of EAP Methods



I checked the Event Viewer from the client and the information is not that
clear. It complains* "A fatal error occured while creating a TLS
credential. The internal error state is 10013."*


Do we have a better way to debug this issue?



Thank you so much for your help


Regards,
Suriya



On Mon, Aug 21, 2023 at 5:34 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 21, 2023, at 8:14 PM, Suriya Shankar <suriya.dshankar at gmail.com>
> wrote:
> > Thank you. I am able to bring up the eap_teap module from 3.2.x and the
> > client is happy until the first inner TLS. Intermediate Result Success is
> > being shared with each other.
>
>   That's good.
>
> > But with the vp = fr_pair_find_by_num(request->state,
> >> PW_EAP_TEAP_TLV_IDENTITY, VENDORPEC_FREERADIUS, TAG_ANY);
> >
> > is being returned null and before the second certificate exchange, server
> > is sending success and so client rejects the authentication saying
> > Unexpected TLV.
>
>   You have to configure the Identity-Type correctly.  It's all a bit
> magical.
>
> > Where do we set the request->state with the Attr pair to avoid this?
>
>   We're working on documentation for TEAP.  For now, it's still largely
> experimental.
>
> > For the same reason EAP_TEAP_TLV_IDENTITY is not being sent even for the
> > first Inner tunnel authentication. As per the documentation the TLV is
> the
> > hint for the client and I believe it may not essential for the connection
> > to establish.
> >
> > Is 3.2.x the right version for eap_teap?
>
>   All of the code is public.  If I say TEAP is in v3.2.x, then I'm not
> trying to mislead you.  There is no secret repository of TEAP that you only
> get access to by asking nicely.
>
>   Since all of the code is public, you can also walk through the way
> rlm_eap_teap works, to see what it's doing.  Then, configure the server the
> way the module expects.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>

More information about the Freeradius-Devel mailing list