Unable to decipher what's coming back via a PEAP tunnel

Alan DeKok aland at deployingradius.com
Sun Jan 12 14:57:02 CET 2020

On Jan 10, 2020, at 3:22 AM, Joe Garcia <joe27256 at gmail.com> wrote:
> I'm working with a third-party app that authenticates to a FreeRADIUS server
> via MSCHAPv2 over PEAP and need up update a few parts of it, but I can't
> figure out what FreeRADIUS is sending over the PEAP tunnel when it's not
> sending MSCHAPv2 data.  The current code doesn't try and break down the
> messages, possibly because my predecessor also couldn't figure out what they
> were, but there's now a requirement to do this.
> The initial Identity Request sent by FreeRADIUS over the PEAP tunnel is:
>  01       // Identity-Request
>  06       // ?
>  00 05    // length = 5
>  01       // ?

  That's EAP.  See RFC 3748.

Q: How do you know that 0x01 is an identity request?
A:  Because it's EAP.  0x01 is an EAP identity request...

> The Identity Request sent by FreeRADIUS over the PEAP tunnel in response to an
> incorrect identity in the MSCHAPv2 process, i.e. what you get instead of an
> MSCHAPv2 response, is:
>  01       // Identity-Request
>  08       // ?
>  00 0B    // length = 11
>  21 80 03 00 02 00 02 // ?

  That's EAP.  Mostly... MS does stupid things inside of the PEAP tunnel.

> Problem is I can't translate these messages into anything useful (the field
> names I've used above are guesswork), this doesn't correspond to any message
> format that I can identify, RADIUS, EAP, DIAMETER, PEAP, there are bits and
> pieces in there that could correspond to various things like EAP and RADIUS,
> and the byte string starting 0x21 could be a MS-Authentication-TLV but what
> follows doesn't match draft-hiller-eap-tlv-01.txt, and it also doesn't work as
> an EAP-Request, also 0x21.
> Can anyone tell me what format this is?

  It's EAP.  The EAP header is only 4 bytes.  And while the code in FreeRADIUS isn't perfect, you should be able to follow it.  It's well commented, and described exactly what it's doing.

  Just look for "0x21" or "33" in peap.c is informative:

	 *  Since the full EAP header is sent for the EAP Extensions type (Type 33),

  That code is extensively commented.  It describes what each byte is, and what it means.

  I don't look at the PEAP implementation every day, so I'm not 100% up to speed with it.  But simply searching for relevant text will get you the right information, 99% of the time.  I know, because that's what *I* do.  I can't be bothered to remember everything about the code.  Instead, I just search for keywords, and find the right information.

  Alan DeKok.

More information about the Freeradius-Users mailing list