Certificate problem between 3.0.11 and 3.1.x

Matthew Newton mcn4 at leicester.ac.uk
Sat Mar 19 03:16:18 CET 2016


On Sat, Mar 19, 2016 at 12:10:17AM +0000, Arran Cudbard-Bell wrote:
> 
> > On 18 Mar 2016, at 23:22, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> > 
> > Close. Think I may have found it. Have found the differences,
> > anyway.
> 
> What's your supplicant, just we can make sure we're using roughly
> the same methodology.
> 
> Mine is Windows 10 with PEAP outer EAP-TLS inner.

Unfortunately I'm working blind; I've not got a broken machine
with Windows. Hence a lot of hypotheses and not too many concrete
answers. :(

I've been running eapol_test and comparing the differences in
the replies between the two versions.

The original report was (an unspecified version of) Windows doing
PEAP/MSCHAPv2.

> > First confusing thing is the FreeRADIUS is only printing out the
> > first EAP-Message attribute in the debug output, hence the lengths
> 
> Fixed the debug.  Still used a stack buffer of 256 bytes.

Cool, thanks :)

> > My hypothesis would be a supplicant bug that sees the Length flag
> > set so erroneously expects more packets, but that should not be
> > the case because M was not set. It certainly works fine in
> > eapol_test both pre- and post-8a7f6e330f, so it seems down to the
> > way the particular supplicant processes the reply.
> 
> No, something weirder.  Even when fragmentation is required it hangs.

That is very odd.

I wonder if it's a combination of things - something broken before
that patch as well as the length being included. In which case
taking say v3.0 and artificially _adding_ the L flag and length
might be useful - if that works then there must also be other
differences. Inverse of my unlang hack. Cough, splutter.

> > and other packets are sent like this back to the
> > supplicant, hence guessing this change in behaviour is just
> > hitting one particular Windows supplicant in the wrong places.
> 
> Yes. Have you got PEAP + TLS to run to completion before the
> patch?  I suspect PEAP with MSCHAPv2 will, but PEAP with TLS
> (that still requires fragmentation), won't.

The only Windows machine I've got here at the moment is a VM, and
I haven't been able to work the hostapd-foo correctly yet to get
it to do wired 802.1X over a virtual network port. So I can't
currently test it :(

I have got a live server at the moment with Windows 7 clients
doing PEAP/EAP-TLS, so I know that works, but it's before
8a7f6e330f. So it probably doesn't help much.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list