Hello again
I haven't received a reply to my question.
Please redirect me to another email alias if this is not the correct
forum for this question.
thanks and regards
On 26 April 2017 at 14:48, Arne Bier <arnebier@xxxxxxxxx> wrote:
>
> Hi
>
> I just recently discovered wpa_supplicant and I am a big fan - my use
> case was to find a mechanism to test radius servers without using any
> real networking infrastructure - hence, I gravitated to eapol_test
>
> It's working really well except for one use case: when testing
> eap-peap authentications I am unable to go into interactive mode to
> simulate a user typing in a wrong credential (which causes the
> authenticating server to issue an EAP Challenge response). eapol_test
> doesn't handle this challenge and then the EAP conversation times out.
> It would be useful to test the case where a user provides the
> incorrect credentials, and have the authenticating server exhaust his
> attempts and return an Access-Reject (for example).
>
> Currently with one (wrong) credential eapol_test fails as follows
>
> EAP-MSCHAPV2: error 691
> EAP-MSCHAPV2: retry is allowed
> EAP-MSCHAPV2: failure challenge - hexdump(len=16): 75 0f 88 f7 73 1a
> 31 57 f9 48 6a 75 65 87 a3 1b
> EAP-MSCHAPV2: password changing protocol version 3
> EAP-MSCHAPV2: failure message: '' (retry allowed, error 691)
> EAPOL: EAP parameter needed
> EAPOL: EAP parameter needed
> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: startWhen --> 0
> EAPOL test timed out
> EAPOL: EAP key not available
> EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
> ENGINE: engine deinit
> MPPE keys OK: 0 mismatch: 1
> FAILURE
>
> But my radius server never receives an Access-Reject, since the EAP
> conversation got abandoned.
>
> I have tried to see whether I could use wpa_cli, but it seems that it
> relies on wpa_supplicant, and hence, a real wireless adapter.
>
> How tricky/easy would it be to add an interactive mode to eapol_test?
> Or failing that, the ability to specify multiple credentials that one
> could enter into the .conf file
>
> network={
> ssid="example"
> key_mgmt=WPA-EAP
> eap=PEAP
> identity="bob"
> anonymous_identity="anonymous"
> password="mysupersecretpassword"
> phase2="autheap=MSCHAPV2"
> #
> # Would this work, to get eapol_test to engage in EAP Challenge?
> # password2="myotherpassword"
> # password3="lasttry"
>
> thanks and regards
> Arne
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
