Here's how I do it. I dont know of a test client that can easily build a RADIUS Access-Request with an EAP-Message - if anybody does please let us know. The radclient program supplied with Freeradius can add an EAP-Message attribute but you have to code it yourself in hex. Here's how I send an EAP/Response/Identity:
$ radclient -f eapRspId.txt -r 1 localhost auth testing
The eapRspId.txt file looks like this:
-------------------
[EMAIL PROTECTED], Message-Authenticator=xxx, EAP-Message="0x020100210131393230353332323830303230333130407472616e7361742e636f6d"
# EAP-Resp/id=1/type=Identity/[EMAIL PROTECTED] ------------------
I put the comment last because radclient stops as soon as it sees a comment. Another thing to keep in mind. Freeradius will set the RADIUS State attribute in all challenge messages to some random value, but you'll need to use the same value in the State attribute of the response. If youre using hard coded message files like this, adding a different State value every time would be a pain, so I use a test patch in rlm_eap/state.c that sets State to some known value like "state1", "state2", etc., throughout the challenge sequence, and another in my rlm_eap_<type> to restart back to "state1" when EAP-Success or Failure is sent. You can keep the state number in a global variable. This lets you hard code the State value in the eapRspXxx.txt message file. I now turn the patch on at compile time with a flag, but someday I'd like to make it configurable in radiusd.conf.
Dave
claufer writes:
Hello, thanks for the quick response alan! I=B4m sorry! you=B4re right, maybe sometimes i need someone else to open = my=20 blind eyes . I guess there is no testing tool where i can send a eap message with, or=20 is there?
regards, cl
Alan DeKok schrieb:
rs.htmlclaufer <[EMAIL PROTECTED]> wrote: =20
Below here I'll just describe what I did so far:
I added two users in the /raddb/users file: test1 Auth-Type :=3D eap, User-Password =3D=3D "test1pwd"
=20 ^^^^^^^^^^^^^^^^ =20 Do NOT do that. The EAP module will decide whether or not to do EAP. =20 =20
After configuring i did : # radtest test1 test1pwd localhost 0 localpwd Sending Access-Request of id 172 to 127.0.0.1:1812 User-Name =3D "test1" User-Password =3D "test1pwd" NAS-IP-Address =3D wlan NAS-Port =3D 0
=20 =20 There's no EAP-Message in that packet. =20 =20
rlm_eap: EAP-Message not found
=20 =20 So the EAP module doesn't do anything with it. =20 =20
Why isn't the first user working with Auth-Type :=3D eap ?
=20 =20 Because you didn't give it a request containing EAP. The error messages you posted to the list said exactly what went wrong, and you should have read them. =20 Alan DeKok. =20 -=20 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/use=
=20 =20
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
