Certificate problem between 3.0.11 and 3.1.x
Matthew Newton
mcn4 at leicester.ac.uk
Sat Mar 19 03:16:18 CET 2016
On Sat, Mar 19, 2016 at 12:10:17AM +0000, Arran Cudbard-Bell wrote:
>
> > On 18 Mar 2016, at 23:22, Matthew Newton <mcn4 at leicester.ac.uk> wrote:
> >
> > Close. Think I may have found it. Have found the differences,
> > anyway.
>
> What's your supplicant, just we can make sure we're using roughly
> the same methodology.
>
> Mine is Windows 10 with PEAP outer EAP-TLS inner.
Unfortunately I'm working blind; I've not got a broken machine
with Windows. Hence a lot of hypotheses and not too many concrete
answers. :(
I've been running eapol_test and comparing the differences in
the replies between the two versions.
The original report was (an unspecified version of) Windows doing
PEAP/MSCHAPv2.
> > First confusing thing is the FreeRADIUS is only printing out the
> > first EAP-Message attribute in the debug output, hence the lengths
>
> Fixed the debug. Still used a stack buffer of 256 bytes.
Cool, thanks :)
> > My hypothesis would be a supplicant bug that sees the Length flag
> > set so erroneously expects more packets, but that should not be
> > the case because M was not set. It certainly works fine in
> > eapol_test both pre- and post-8a7f6e330f, so it seems down to the
> > way the particular supplicant processes the reply.
>
> No, something weirder. Even when fragmentation is required it hangs.
That is very odd.
I wonder if it's a combination of things - something broken before
that patch as well as the length being included. In which case
taking say v3.0 and artificially _adding_ the L flag and length
might be useful - if that works then there must also be other
differences. Inverse of my unlang hack. Cough, splutter.
> > and other packets are sent like this back to the
> > supplicant, hence guessing this change in behaviour is just
> > hitting one particular Windows supplicant in the wrong places.
>
> Yes. Have you got PEAP + TLS to run to completion before the
> patch? I suspect PEAP with MSCHAPv2 will, but PEAP with TLS
> (that still requires fragmentation), won't.
The only Windows machine I've got here at the moment is a VM, and
I haven't been able to work the hostapd-foo correctly yet to get
it to do wired 802.1X over a virtual network port. So I can't
currently test it :(
I have got a live server at the moment with Windows 7 clients
doing PEAP/EAP-TLS, so I know that works, but it's before
8a7f6e330f. So it probably doesn't help much.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list