|
Home > Archive > Radius Server > February 2004 > PEAP phase 2 details?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PEAP phase 2 details?
|
|
| Mike Chang 2004-02-09, 1:35 pm |
| Hi,
I've read as many documents (RFC, Internet-draft, web page, etc.) about
RADIUS/EAP/PEAP/TLS/MS-CHAP-V2 as possible,
however, I couldn't find any one that describes the detailed behavior of
MS-CHAP-V2 in PEAP phase 2.
For example, without the debug window of Funk's Odyssey client, I won't know
that the EAP header MUST NOT be transmitted
in the TLS channel, but the RADIUS server and Odyssey client will manually
compose the EAP header after receiving the EAP
body.
For another example, without consulting FreeRADIUS source codes, I won't
know there is another packet header between EAP
header and MS-CHAP-V2.
Could anyone tell me where I can get the detailed behavior and packet
formats of PEAP phase 2?
BTW, is there any IEEE802.1X supplicant that supports Result-TLV at the end
of TLS channel? Funk's Odyssey client and IAS
use encrypted empty packets instead of Result-TLV just before tearing down
the TLS channel.
| |
| Ashwin Palekar\(MS\) 2004-02-09, 5:34 pm |
|
"Mike Chang" <ycchang@zyxel.com.tw> wrote in message
news:u$dJIF47DHA.2524@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I've read as many documents (RFC, Internet-draft, web page, etc.) about
> RADIUS/EAP/PEAP/TLS/MS-CHAP-V2 as possible,
> however, I couldn't find any one that describes the detailed behavior of
> MS-CHAP-V2 in PEAP phase 2.
In PEAPv0, the EAP-MSCHAPv2 (see EAP-MSCHAPv2 draft) packets are carried
inside the TLS data channel (without the EAP header of EAP-MSCHAPv2
packets), and the final exchange inside the tunnel is the EAP-TLV packet
(with EAP header) with Result=Success or Failure.
>
> For example, without the debug window of Funk's Odyssey client, I won't
know
> that the EAP header MUST NOT be transmitted
> in the TLS channel, but the RADIUS server and Odyssey client will manually
> compose the EAP header after receiving the EAP
> body.
The EAP header is also outside the tunnel.
>
> For another example, without consulting FreeRADIUS source codes, I won't
> know there is another packet header between EAP
> header and MS-CHAP-V2.
>
> Could anyone tell me where I can get the detailed behavior and packet
> formats of PEAP phase 2?
PEAPv0 and EAP-MSCHAPv2 IETF drafts.
>
> BTW, is there any IEEE802.1X supplicant that supports Result-TLV at the
end
> of TLS channel? Funk's Odyssey client and IAS
> use encrypted empty packets instead of Result-TLV just before tearing down
> the TLS channel.
PEAPv0 implementations (XP SP1 and IAS) use Result-TLV; should not use
empty encrypted packets. See PEAPv0 draft.
When verifying the packets, pls make sure there isn't any other supplicant
installed on Windows XP SP1. If you have installed other supplicants on
same machine earlier, then better to do a new install of Windows to be sure.
>
>
| |
| Mike Chang 2004-02-09, 6:34 pm |
| Hi Ashwin,
Thank you very much for the answers!
The EAP-MSCHAPV2 draft is no longer available from IETF, however I get it
from google.
Actually, I'm developing a RADIUS server which supports PEAP. Your
explanations did
great help for me. ;-)
BTW, the Windows Wireless Configuration seems has a bug:
The TLS module I use in my RADIUS server transmits ChangeCipherSpec and
Finish in
two seperated packets. The wireless configuration gets the ChangeCipherSpec
and resopnses
an PEAP/Ack, and then my RADIUS server transmits Finish, and the wireless
configuration
hangs up without any response. In the case of Odyssey client, it will
response a PEAP/Ack
after receiving the Finish message.
Any idea?
"Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
news:Oby%23V957DHA.632@TK2MSFTNGP12.phx.gbl い级糶...
>
>
>
> "Mike Chang" <ycchang@zyxel.com.tw> wrote in message
> news:u$dJIF47DHA.2524@TK2MSFTNGP11.phx.gbl...
>
> In PEAPv0, the EAP-MSCHAPv2 (see EAP-MSCHAPv2 draft) packets are carried
> inside the TLS data channel (without the EAP header of EAP-MSCHAPv2
> packets), and the final exchange inside the tunnel is the EAP-TLV packet
> (with EAP header) with Result=Success or Failure.
>
> know
manually[color=blue]
> The EAP header is also outside the tunnel.
>
> PEAPv0 and EAP-MSCHAPv2 IETF drafts.
>
> end
down[color=blue]
>
> PEAPv0 implementations (XP SP1 and IAS) use Result-TLV; should not use
> empty encrypted packets. See PEAPv0 draft.
>
> When verifying the packets, pls make sure there isn't any other supplicant
> installed on Windows XP SP1. If you have installed other supplicants on
> same machine earlier, then better to do a new install of Windows to be
sure.
| |
| Wajih Yahyaoui [MSFT] 2004-02-11, 6:36 am |
| which OS is your client running?
--
Thanks
Wajih
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Mike Chang" <ycchang@zyxel.com.tw> wrote in message
news:erZCoa67DHA.3008@TK2MSFTNGP09.phx.gbl...
> Hi Ashwin,
>
> Thank you very much for the answers!
>
> The EAP-MSCHAPV2 draft is no longer available from IETF, however I get it
> from google.
>
> Actually, I'm developing a RADIUS server which supports PEAP. Your
> explanations did
> great help for me. ;-)
>
> BTW, the Windows Wireless Configuration seems has a bug:
> The TLS module I use in my RADIUS server transmits ChangeCipherSpec and
> Finish in
> two seperated packets. The wireless configuration gets the
ChangeCipherSpec
> and resopnses
> an PEAP/Ack, and then my RADIUS server transmits Finish, and the wireless
> configuration
> hangs up without any response. In the case of Odyssey client, it will
> response a PEAP/Ack
> after receiving the Finish message.
>
> Any idea?
>
> "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
> news:Oby%23V957DHA.632@TK2MSFTNGP12.phx.gbl い级糶...
about[color=blue]
of[color=blue]
won't[color=blue]
> manually
won't[color=blue]
the[color=blue]
> down
supplicant[color=blue]
> sure.
>
>
>
| |
| Mike Chang 2004-02-11, 12:35 pm |
| Windows 2000 professional.
Mike
"Wajih Yahyaoui [MSFT]" <wajihy@online.microsoft.com> 秎ン
news:%23G7iGbN8DHA.2412@TK2MSFTNGP09.phx.gbl い级糶...
> which OS is your client running?
>
> --
> Thanks
> Wajih
>
> ========================================
===================
> This posting is provided "AS IS" with no warranties and confers no rights
> ========================================
===================
> "Mike Chang" <ycchang@zyxel.com.tw> wrote in message
> news:erZCoa67DHA.3008@TK2MSFTNGP09.phx.gbl...
it[color=blue]
> ChangeCipherSpec
wireless[color=blue]
> about
behavior[color=blue]
> of
carried[color=blue]
packet[color=blue]
> won't
> won't
packet[color=blue]
> the
tearing[color=blue]
use[color=blue]
> supplicant
on[color=blue]
>
>
| |
| Ashwin Palekar\(MS\) 2004-02-11, 3:36 pm |
| Do you mean 2 fragments or messages?
If it is 2 messages, then why is the RADIUS server transmitting
ChangeCipherSpec and Finish in two separate messages?
rights[color=blue]
> it
and[color=blue]
> wireless
> behavior
> carried
> packet
> packet
at[color=blue]
> tearing
> use
> on
be[color=blue]
>
>
| |
| Mike Chang 2004-02-11, 4:34 pm |
| Two seperated messages. The TLS module is implemented by someone else and I
don't know why.
I did a little modification in order to work with wireless configuration as
I described in another thread "PEAP phase 2 hangs up", so that this problem
is solved.
However, there is still another question: I found that the MS-CHAPv2 ID
fields of challenge and response packets must be the same, or otherwise the
wireless configuration will hang up. Is there any constraint on the
identifier field of Result-TLV message? The wireless configuration hangs up
after receiving the Result-TLV/Success from the RADIUS server. These same
piece of programs can work well with Odyssey client.
----- Original Message -----
From: "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com>
Newsgroups: microsoft.public.internet.radius
Sent: Thursday, February 12, 2004 12:58 PM
Subject: Re: PEAP phase 2 details?
> Do you mean 2 fragments or messages?
>
> If it is 2 messages, then why is the RADIUS server transmitting
> ChangeCipherSpec and Finish in two separate messages?
>
>
> rights
"Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
news:%23YzVfTS8DHA.2316@TK2MSFTNGP09.phx.gbl い级糶...[color=blue]
> Do you mean 2 fragments or messages?
>
> If it is 2 messages, then why is the RADIUS server transmitting
> ChangeCipherSpec and Finish in two separate messages?
>
>
> rights
get[color=blue]
> and
will[color=blue]
etc.)[color=blue]
EAP-MSCHAPv2[color=blue]
I[color=blue]
will[color=blue]
I[color=blue]
> at
not[color=blue]
supplicants[color=blue]
to[color=blue]
> be
>
>
| |
| Mike Chang 2004-02-11, 4:34 pm |
|
"Mike Chang" <ycchang@zyxel.com.tw> 秎ン
news:OwFjYtS8DHA.2812@TK2MSFTNGP11.phx.gbl い级糶...
> Two seperated messages. The TLS module is implemented by someone else and
I
> don't know why.
>
> I did a little modification in order to work with wireless configuration
as
> I described in another thread "PEAP phase 2 hangs up", so that this
problem
> is solved.
>
> However, there is still another question: I found that the MS-CHAPv2 ID
> fields of challenge and response packets must be the same, or otherwise
the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
challenge and success request packets
> wireless configuration will hang up. Is there any constraint on the
> identifier field of Result-TLV message? The wireless configuration hangs
up
> after receiving the Result-TLV/Success from the RADIUS server. These same
> piece of programs can work well with Odyssey client.
>
> ----- Original Message -----
> From: "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com>
> Newsgroups: microsoft.public.internet.radius
> Sent: Thursday, February 12, 2004 12:58 PM
> Subject: Re: PEAP phase 2 details?
>
>
> "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
> news:%23YzVfTS8DHA.2316@TK2MSFTNGP09.phx.gbl い级糶...
> get
ChangeCipherSpec[color=blue]
> will
> etc.)
> EAP-MSCHAPv2
EAP-TLV[color=blue]
client,[color=blue]
> I
> will
codes,[color=blue]
> I
Result-TLV[color=blue]
> not
> supplicants
> to
>
>
| |
| Ashwin Palekar\(MS\) 2004-02-11, 6:34 pm |
| 1. "The MS-CHAPv2-ID field is one octet and aids in matching MSCHAP-v2
responses with requests. Typically, the MS-CHAPv2-ID field is the
same as the Identifier field."
2. Not sure what result-tlv success would hang. Pls use the key derivation
from EAP-TLS RFC.
--
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Mike Chang" <ycchang@zyxel.com.tw> wrote in message
news:OwFjYtS8DHA.2812@TK2MSFTNGP11.phx.gbl...
> Two seperated messages. The TLS module is implemented by someone else and
I
> don't know why.
>
> I did a little modification in order to work with wireless configuration
as
> I described in another thread "PEAP phase 2 hangs up", so that this
problem
> is solved.
>
> However, there is still another question: I found that the MS-CHAPv2 ID
> fields of challenge and response packets must be the same, or otherwise
the
> wireless configuration will hang up. Is there any constraint on the
> identifier field of Result-TLV message? The wireless configuration hangs
up
> after receiving the Result-TLV/Success from the RADIUS server. These same
> piece of programs can work well with Odyssey client.
>
> ----- Original Message -----
> From: "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com>
> Newsgroups: microsoft.public.internet.radius
> Sent: Thursday, February 12, 2004 12:58 PM
> Subject: Re: PEAP phase 2 details?
>
>
> "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
> news:%23YzVfTS8DHA.2316@TK2MSFTNGP09.phx.gbl い级糶...
> get
ChangeCipherSpec[color=blue]
> will
> etc.)
> EAP-MSCHAPv2
EAP-TLV[color=blue]
client,[color=blue]
> I
> will
codes,[color=blue]
> I
Result-TLV[color=blue]
> not
> supplicants
> to
>
>
| |
| Mike Chang 2004-02-11, 6:34 pm |
|
"Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> 秎ン
news:eUdlNuT8DHA.1000@TK2MSFTNGP11.phx.gbl い级糶...
> 1. "The MS-CHAPv2-ID field is one octet and aids in matching MSCHAP-v2
> responses with requests. Typically, the MS-CHAPv2-ID field is the
> same as the Identifier field."
Yes, I know. But what I mentioned is that the MS-CHAPv2-IDs of both
challenge
packet and succes/request packet MUST be the same or otherwise the wireless
configuration would hang.
> 2. Not sure what result-tlv success would hang. Pls use the key derivation
> from EAP-TLS RFC.
Are you saying that the result-tlv must be sent with MS-MPPE-{SEND,
RECV}-KEY
attributes? What if I don't use WEP or WPA at all?
>
> --
> --
> ========================================
===================
> This posting is provided "AS IS" with no warranties and confers no rights
> ========================================
===================
>
> "Mike Chang" <ycchang@zyxel.com.tw> wrote in message
> news:OwFjYtS8DHA.2812@TK2MSFTNGP11.phx.gbl...
and[color=blue]
> I
> as
> problem
> the
> up
same[color=blue]
I[color=blue]
Your[color=blue]
> ChangeCipherSpec
are[color=blue]
> EAP-TLV
> client,
> codes,
and[color=blue]
> Result-TLV
before[color=blue]
should[color=blue]
other[color=blue]
Windows[color=blue]
>
>
|
|
|
|
|