Thank you for the explanation about MS-MPPE-Recv-Key and MS-MPPE-Send-Key being the two VSAs that I am seeing in the eapol_test output. As they are encrypted, that explains why they are different every time. Unfortunately my other VSA doesn't show up at all, when using EAP-PEAP-MSCHAPv2. It's not a matter of decoding the hex or reading the dictionary, the problem is that the VSA simply is not there in the eapol_test output. When I use EAP-TTLS-PAP or EAP-MSCHAPv2, the VSA does show up in the eapol_test output and is easy to decode in hex. My eapol_test output is being fed into another program for testing. That is why wireshark would not be a good solution here, I need the output to come out of the eapol_test client. You had mentioned "a) read the VSAs as raw hex on hostap". Could you please explain a little further how this would be done using hostap? Thank you. Jude George On Fri, Dec 15, 2023 at 5:41 AM Alan DeKok <aland@xxxxxxxxxxxxxxxxxxx> wrote: > > On Dec 14, 2023, at 8:00 PM, Jude George <jude.george@xxxxxxxxxxxx> wrote: > > The RADIUS server (FreeRADIUS) authenticates the client, and I can see > > from the server output that it is sending a vendor-specific-attribute > > (VSA) for this user. However, the eapol_test output does not show this > > VSA. Ironically, it does show two other VSAs, regardless of whether I > > configure a VSA for this user on the server. > > The two VSAs are MS-MPPE-Recv-Key, and MS-MPPE-Send-Key. They're part of the EAP standards. Almost all EAP methods will result in these attributes being sent in an Access-Accept. > > The attributes depend on various cryptographic calculations, so they will be different on every authentication attempt. > > > How can I get my true VSA to show up in eapol_test's output when I use > > EAP-PEAP-MSCHAPv2? > > Use wireshark. > > FreeRADIUS ships with over 100 dictionaries, with nearly 10,000 VSAs. hostap / eapol_test doesn't include those dictionaries, and therefore doesn't do any VSA decoding. So it just prints them as hex. > > The choices here are: > > a) read the VSAs as raw hex on hostap > > b) use wireshark to look at the packet trace. wireshark includes the FreeRADIUS dictionaries, so it decodes the attributes > > c) patch the hostap source to read and use the FreeRADIUS dictionaries. > > But the better question is if you already have access to the FreeRADIUS side, why do you need to see the VSAs on the client side? > > Alan DeKok. > -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
