PEAP/MSCHAPv2 on a Samsung mobile - more than 50 EAP packets?
Alan DeKok
aland at deployingradius.com
Wed Jan 20 11:44:19 CET 2010
Stefan Winter wrote:
> I'm seeing a strange behaviour for a 802.1X supplicant, and can't really
> explain it. The device (Samsung GT-S5560 mobile) claims to do PEAP/MSCHAPv2.
"Claims".
> In -X debug, the server certificate gets exchanged just fine, but the
> device doesn't proceed to the tunnel. It keeps sending EAP-Messages
> though - so it's not like the client device doesn't like the cert. In
> fact, we tried scenarios where it doesn't like the cert intentionally
> and in these cases it just aborts. So this here is when it *does* like
> the cert (ceritficate checking is off on the device).
>
> It sends packets like the following over and over again
I've seen this happen before when the client is expecting more data
from the server. The server says "send me more data", and the client
says "no, you send me more data".
> That fragment handler seems strangely placed, and the EAP-Message is
> very short. It replies with the bytewise identical EAP-Message on the
> next round-trip.
My suggestion is that the phone is broken, and doesn't implement PEAP
properly.
This can happen when the supplicant *claims* to support one version of
PEAP, and then expects data from a different version in the packets.
> I don't know what this device is talking here. Other PEAP clients don't
> do this kind of stuff. Anyone a clue what is going on?
The client is broken.
I say that a lot, don't I? :)
Alan DeKok.
More information about the Freeradius-Users
mailing list