Modifying EAP Messages
Enrique de la Hoz
enriquedelahoz at gmail.com
Mon Mar 16 20:45:13 CET 2009
Well, it is not adding new fields but putting some data in the data fields
of those messages that allow to do that, e.g., put a certain value in the
EAP Type Data field:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Type-Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
We are trying to build a PoC of an architecture that implies sending back
some extra authorization info to the supplicant. Our first idea was included
server response in the form of an AVP but we do not get the message tunneled
to the client(supplicant) back (we are currently using EAP-TTLS), that is
the reason why we thought of modifying EAP responses, to convey that certain
info that we are not able to deliver to the supplicant back. I know that it
is not a clean way of doing that but it is something like our last attempt.
BTW, Why are not AVP tunnelled back to supplicant and do not go inside TTLS
session?
Regards,
2009/3/16 Alan DeKok <aland at deployingradius.com>
> Enrique de la Hoz wrote:
> > We are trying to develop a module to make possible to add extra
> > information to EAP Messages.
>
> Huh? Why would you ever do that?
>
> The EAP protocol is well defined. Adding "extra" information to it is
> like adding "extra" data to IP packets. It will be ignored... at best.
>
> > We are employing rlm_perlo module. Up to
> > now, we have been able to add new EAP-Message attributes to the RADIUS
> > response packets but we cannot figure out how to modify the current
> > EAP-Message already addedd. It is assumed (from RFC 3579) that multiple
> > EAP Message attributes will be concatenated to form a single EAP Packet
> > but the thing is that we do not receive the added information in our
> > supplicant.
> >
> > Two questions arise:
> > 1) Is it possible to modify EAP-Message attributes from perl modules?
> > 2) If not, should we go through a per EAP-athentication method C source
> > code modification?
>
> What are you trying to do, and why?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Enrique de la Hoz de la Hoz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090316/19b92d68/attachment.html>
More information about the Freeradius-Users
mailing list