This recent from 2025-01-25 commit seems to break eapol_test:
RADIUS: Drop pending request only when accepting the response
https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44
In short: The second RADIUS round trip triggers the following log
message from eapol_test:
No matching RADIUS request found (type=0 id=1) - dropping packet
eapol_test does not exit after the above message but continues to wait
for the reply that never arrives. It exists after the timeout (and
honours the -t command line option) or when Ctrl-C is pressed. When
eapol_test is compiled with the previous commit, it works normally.
This is reproducible with at least Radiator and FreeRADIUS. Below is a
log produced with FreeRADIUS 3.2.7 freshly installed on a Mac from
Homebrew. The only change in FreeRADIUS configuration was to enable
the users file entry for 'bob:
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
eapol_test configuration file:
% cat eapol-eap-md5.conf
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=MD5
#eap=GTC
identity="bob"
password="hello"
}
This is the locally compiled eapol_test:
./eapol_test-2.12-devel -v
eapol_test v2.12-devel-hostap_2_11-554-g726432d76
The full log from eapol_test follows. If the eapol_test configuration
is changed to use EAP-GTC instead, eapol_test NAKs EAP-MD5 FreeRADIUS
suggests and asks for EAP-GTC instead. eapol_test then logs the same
'No matching RADIUS request found ...' error and stops the dialogue.
In other words, failure occurs again after the second roundtrip. This
was originally noticed with EAP-TLS and Radiator. With EAP-TLS
eapol_test also cannot continue after two roundtrips.
Here's full log showing EAP-MD5 attempt against FreeRADIUS. To
re-iterate, I don't think this is Radius server problem, but relates
to the aforementioned hostap commit.
% ./eapol_test-2.12-devel -c eapol-eap-md5.conf -s testing123
Reading configuration file 'eapol-eap-md5.conf'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=7):
65 64 75 72 6f 61 6d eduroam
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=3):
62 6f 62 bob
password - hexdump_ascii(len=5):
68 65 6c 6c 6f hello
Priority group 0
id=0 ssid='eduroam'
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:64196
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=158 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=3):
62 6f 62 bob
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=8)
TX EAP -> RADIUS - hexdump(len=8): 02 9e 00 08 01 62 6f 62
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=3): 62 6f 62
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=120
Attribute 80 (Message-Authenticator) length=18
Value: 0d140b13ebdeb20b2bce6ed95a6bcef8
Attribute 1 (User-Name) length=5
Value: 'bob'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=10
Value: 029e000801626f62
RADIUS: Send 120 bytes to the server
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
Attribute 80 (Message-Authenticator) length=18
Value: 91ba4bd72acc1e3943a9e5942527c126
Attribute 79 (EAP-Message) length=24
Value: 019f00160410ee71406c9ab65b0acde0e89264cb8041
Attribute 24 (State) length=18
Value: 2e64bb522efbbf5ebc29b9c9b8907731
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=159 len=22) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=159 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4
EAP: Status notification: accept proposed method (param=MD5)
EAP: Initialize selected EAP method: vendor 0 method 4 (MD5)
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
EAP: EAP entering state METHOD
EAP-MD5: Challenge - hexdump(len=16): ee 71 40 6c 9a b6 5b 0a cd e0 e8
92 64 cb 80 41
EAP-MD5: Generating Challenge Response
EAP-MD5: Response - hexdump(len=16): a3 d2 98 7d 39 24 e0 d8 ca 06 3e
eb b0 6d 25 fd
EAP: method process -> ignore=FALSE methodState=DONE
decision=COND_SUCC eapRespData=0x600001b64000
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=22)
TX EAP -> RADIUS - hexdump(len=22): 02 9f 00 16 04 10 a3 d2 98 7d 39
24 e0 d8 ca 06 3e eb b0 6d 25 fd
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=152
Attribute 80 (Message-Authenticator) length=18
Value: f44b6abb07e790689bb91e43ce15665a
Attribute 1 (User-Name) length=5
Value: 'bob'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=24
Value: 029f00160410a3d2987d3924e0d8ca063eebb06d25fd
Attribute 24 (State) length=18
Value: 2e64bb522efbbf5ebc29b9c9b8907731
RADIUS: Send 152 bytes to the server
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 49 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=1 length=49
Attribute 80 (Message-Authenticator) length=18
Value: 5a0a98bd764229fc43eaab7b43f9a4ac
Attribute 79 (EAP-Message) length=6
Value: 039f0004
Attribute 1 (User-Name) length=5
Value: 'bob'
No matching RADIUS request found (type=0 id=1) - dropping packet
EAPOL: startWhen --> 0
^CSignal 2 received - terminating
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (4, MD5) at EAP deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
--
Heikki Vatiainen
hvn@xxxxxxxxxxxxxxxxxxxx
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
