Hello, I think Freeradius does not comply with RFC3579 with respect of the EAP Start packet.
RFC 3579 says that an empty EAP-Message attribute signifies the EAP-Start. To me this means the following attribute hex 0x4f 0x02 An evaluation copy of Steel Belted RADIUS takes 0x4f 0x02 as a valid EAP start, on receipt it sends back a Access-Challenge with a EAP-Request for Identity. FreeRadius does not accept this 2 byte hex attribute as an EAP-start but needs 0x4f 0x04 0x01 0x01. If I send the above 4 byte EAP-Message to Steel Belted returns a reject and logs that it got a invalid EAP-Message. If Free Radius is sent the short two byte EAP-start that Steel Belted likes then it does not interpret it as an EAP-Start. I just wanted to share my findings. Do the freeradius developers have a GPL software tool that can be used to generate RADIUS requests? Thanks, Martin. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: 05 May 2004 10:59 > To: [EMAIL PROTECTED] > Subject: RE: EAP-Message attribute. > > Alan, > > > The problem I was having is fixed in the latest CVS snapshot. > The old version of eap.c was printing out the EAP code as > the identity. > > >> Nothing. Use the latest CVS snapshot. 0.9.0 is *very* old. > > DEBUG2(" rlm_eap: EAP packet type %s id %d length %d", > eap_types[eap_msg->strvalue[0]], > eap_msg->strvalue[1], > (eap_msg->strvalue[2] << 8) | > eap_msg->strvalue[3]); > > > The new (correct) version uses > > DEBUG2(" rlm_eap: EAP packet type %s id %d length %d", > eap_codes[eap_msg->strvalue[0]], > eap_msg->strvalue[1], > eap_msg->length); > > That is were my confusion came from. > > > Thanks very much. > > Martin. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan > > DeKok > > Sent: 04 May 2004 20:58 > > To: [EMAIL PROTECTED] > > Subject: Re: EAP-Message attribute. > > > > <[EMAIL PROTECTED]> wrote: > > > Question 1. RFC 3579 states that "EAP-Start is indicated > > by sending > > > an EAP-Message attribute with a length of 2 (no data). I > interpret > > > this to be the following two bytes '0x49 0x02'. > > > > Hmm... I think that's a typo, or, at least, it's not the way most > > clients work. > > > > > But when I send a packet > > > containing such an attribute to freeradius it does not > see it as an > > > EAP start. > > > Below is the packet that was sent to free radius > > ... > > > rad_recv: Access-Request packet from host > > 10.230.199.211:33118, id=1, > > > length=92 > > > User-Name = "DNIS:123456789" > > > NAS-IP-Address = 1.2.3.4 > > > Service-Type = Call-Check > > > Called-Station-Id = "0123456789" > > > Calling-Station-Id = "0123456789" > > > EAP-Message = 0x > > > > Which is an empty EAP message. It appears to satisfy the > RFC's, but > > I don't think any client behaves that way. > > > > Most EAP clients use a two-byte EAP packet, which means a RADIUS > > EAP-Message of length 4. > > > > > To get around this I send the EAP-Message 0x4f 0x0c 0x01 0xff > > > > > > rlm_eap: EAP packet type identity id 255 length 0 > > > rlm_eap: Got EAP_START message > > > modcall[authorize]: module "eap" returns handled > > > > > > Am I reading the RFC wrong? > > > > I don't think so, but in ~2 years of using the EAP > module, this has > > never come up before. > > > > > I send the following EAP-Message > > > Radius-Attribute = 0x 4f 0c 02 ff 00 0a 01 68 65 6c 6c 6f > This is a > > > EAP-Message with code=Response and Type = Identity, = however the > > > debug states that the type is=20 notification. What am I > > doing wrong? > > > > Nothing. Use the latest CVS snapshot. 0.9.0 is *very* old. > > > > Alan DeKok. > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
