eap-fast: using eap-fast-mschapv2 in anonymous tunnel
Alan DeKok
aland at deployingradius.com
Sat Sep 23 03:47:44 CEST 2017
On Sep 22, 2017, at 9:05 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> I've been trying to test eap-fast unauthenticated provisioning (RFC
> 5422), and was getting mschap errors, for which I think I found a fix
> - see attached patch (v3.0x).
>
> With this patch, the mschap authentication stage succeeds using
> eapol_test and a tunnel-pac is provisioned (while the first eapol
> exchange ends with reject as allowed by the RFC, the subsequent
> authentication successes using the newly provisioned pac).
That looks good, thanks.
> My eapol_test config (my server config is almost untouched):
> network={
> ssid="eap-fast-test"
> key_mgmt=WPA-EAP
> eap=FAST
> anonymous_identity="FAST-000102030405"
> identity="bob"
> password="hello"
> phase1="fast_provisioning=1"
> pac_file="/local/file"
> }
>
> I also tried out the v4.0x branch but encountered some other issues.
> First had to add a cast to float when comparing with tls_max_version
> (inst->tls_conf->tls_max_version > (float) 1.1), as otherwise:
> float x = 1.1; if (x > 1.1) yields true for some reason.
Floats are notorious for that kind of thing...
> Then however, I get a crash which I can't figure so far - logs with
> back-trace attached.
That's a straightforward infinite recursion. I've pushed a fix.
Alan DeKok.
More information about the Freeradius-Users
mailing list