Radius Server - IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication

This is Interesting: Free IT Magazines  
Home > Archive > Radius Server > January 2006 > IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
Eliot Gable

2005-11-29, 5:58 pm

I am trying to write an extension DLL for IAS that does the WPS guest
authentication. I have it successfully registering itself, grabbing packets,
testing cases, selectively converting Access-Reject packets to Access-Accept
packets, etc. The only part I cannot figure out is how and when to do the
EAP-TLV URI attribute-value pairs. I imagine I do them in an
Access-Challenge packet, but I do not know how to figure out WHICH packet to
put them in or HOW to put them in the packet. I cannot find any USEFULL
documentation on doing the EAP programming stuff in an IAS DLL. I also do
not understand how my EAP messages get encrypted along with the rest, or how
I can modify them inside a call to the RadiusExtensionProcess2 function. Any
help or examples on how to do this would be greatly appreciated.

Thanks.

Eliot Gable
CCNA, CWNA, CWSP,
Security+, Network+




----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Tom Eirik Jensen

2005-11-29, 5:58 pm

Hi !
I am working with this my self, looking in my c++ programming book, I think
I can learn much from you about programming, and I wounder... may I se your
programming ? your *.cpp file ?
I work with a network consisting on a school with 240 pc's 2 DC, one
dedicated IIS6.0 , IAS, ISA and RIS. Only 2003. I am trying to get control
over the RADIUS and making a guest WLAN.


"Eliot Gable" <support8@greatlakes.net> skrev i melding
news:1133294445_42627@spool6-east.superfeed.net...
>I am trying to write an extension DLL for IAS that does the WPS guest
>authentication. I have it successfully registering itself, grabbing
>packets, testing cases, selectively converting Access-Reject packets to
>Access-Accept packets, etc. The only part I cannot figure out is how and
>when to do the EAP-TLV URI attribute-value pairs. I imagine I do them in an
>Access-Challenge packet, but I do not know how to figure out WHICH packet
>to put them in or HOW to put them in the packet. I cannot find any USEFULL
>documentation on doing the EAP programming stuff in an IAS DLL. I also do
>not understand how my EAP messages get encrypted along with the rest, or
>how I can modify them inside a call to the RadiusExtensionProcess2
>function. Any help or examples on how to do this would be greatly
>appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----


Washington Moreira

2005-11-29, 5:58 pm

Hi Eliot,

First, thank you for your post on my previous thread. At least I'm not alone with this problem.

Looking for my rastls.log I think that my big problem is the EAPTLV URI struct format that I have created based on docs from the WPSDeploy.doc and WPS Protocol description on MSDN ( http://msdn.microsoft.com/library/d...tlv_packets.asp )
As I have explaned in other posts, from WPS Protocol description we have:

PEAP-TLV URI Packet
Fields

MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength Type UCHAR Length of TLVValue field
TLVValue Type UCHAR URI to a master document

From these infromations above we can create a packet struct. But look now to the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15 October 2004)

________________________________________
_________________________
4.8. URI TLV

The URI TLV allows a server to send a URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.

If a packet contains multiple URI TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

M

0 - Optional TLV

R

Reserved, set to zero (0)

TLV Type

8

Length

>=0

URI

This field is of indefinite length, and conforms to the format
specified in [RFC2396].
________________________________________
________________________________________
______________

As you can see, we have conflicts. Note that the field Length is a 16 bit value and the mandatory field is zero (non mandatory)

My doubt is how MS have implemented on IAS?

OK. Returning to my rastls.log you will see that my TLV URI packet sent to the eap dll was discarded because was considered as a invalid attribute. Below a relevant lines from the log:
________________________________________
_______________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is

6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0 5 2 F C F 5 | d > X . R % . . m . i . . R . . |

C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV

[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
________________________________________
________________________________________
___________________


I hope that we find someone that help us.
Thanks for your attention

Washington Moreira




"Eliot Gable" <support8@greatlakes.net> wrote in message news:1133294445_42627@spool6-east.superfeed.net...
>I am trying to write an extension DLL for IAS that does the WPS guest
> authentication. I have it successfully registering itself, grabbing packets,
> testing cases, selectively converting Access-Reject packets to Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or how
> I can modify them inside a call to the RadiusExtensionProcess2 function. Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Eliot Gable

2005-11-29, 5:58 pm

According to a post I just found on Google, the Mandatory flag MUST be set
to 0 for a PEAP-TLV URI attribute, not 1. The WPSDeploy.doc file is WRONG
about this point. The document says it must be 1, but according to an MSDN
developer and another person who got this thing to work, it must be 0.

Second, your structure is too big. An int is usually 4 bytes long. You
should use a single UCHAR field for all three of the first elements. You
will need to define some constants and OR (|) them into the first field.
But, really, since Mandatory field is supposed to be 0 and Reserved is 0,
you can just set the first byte to 8.

"Washington Moreira" <digisystem@community.nospam> wrote in message
news:OlChE9S9FHA.952@TK2MSFTNGP12.phx.gbl...
Hi Eliot,

First, thank you for your post on my previous thread. At least I'm not alone
with this problem.

Looking for my rastls.log I think that my big problem is the EAPTLV URI
struct format that I have created based on docs from the WPSDeploy.doc and
WPS Protocol description on MSDN (
http://msdn.microsoft.com/library/d...tlv_packets.asp )
As I have explaned in other posts, from WPS Protocol description we have:

PEAP-TLV URI Packet
Fields

MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength Type UCHAR Length of TLVValue field
TLVValue Type UCHAR URI to a master document

From these infromations above we can create a packet struct. But look now to
the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15 October
2004)

________________________________________
_________________________
4.8. URI TLV

The URI TLV allows a server to send a URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.

If a packet contains multiple URI TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

M

0 - Optional TLV

R

Reserved, set to zero (0)

TLV Type

8

Length

>=0

URI

This field is of indefinite length, and conforms to the format
specified in [RFC2396].
________________________________________
________________________________________
______________

As you can see, we have conflicts. Note that the field Length is a 16 bit
value and the mandatory field is zero (non mandatory)

My doubt is how MS have implemented on IAS?

OK. Returning to my rastls.log you will see that my TLV URI packet sent to
the eap dll was discarded because was considered as a invalid attribute.
Below a relevant lines from the log:
________________________________________
_______________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is

6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0
5 2 F C F 5 | d > X . R % . . m . i . . R . . |

C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV

[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
________________________________________
________________________________________
___________________


I hope that we find someone that help us.
Thanks for your attention

Washington Moreira




"Eliot Gable" <support8@greatlakes.net> wrote in message
news:1133294445_42627@spool6-east.superfeed.net...
>I am trying to write an extension DLL for IAS that does the WPS guest
> authentication. I have it successfully registering itself, grabbing
> packets,
> testing cases, selectively converting Access-Reject packets to
> Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet
> to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or
> how
> I can modify them inside a call to the RadiusExtensionProcess2 function.
> Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----



----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Eliot Gable

2005-11-29, 5:58 pm

This is what I have based on the WPS Deployment documentation on the
structure of the EAP packets:

#define EAP_TLV_RESULT_TLV 3 /* Acknowledged Result */
#define EAP_TLV_NAK_TLV 4
#define EAP_TLV_CRYPTO_BINDING_TLV 5
#define EAP_TLV_CONNECTION_BINDING_TLV 6
#define EAP_TLV_VENDOR_SPECIFIC_TLV 7
#define EAP_TLV_URI_TLV 8
#define EAP_TLV_EAP_PAYLOAD_TLV 9
#define EAP_TLV_INTERMEDIATE_RESULT_TLV 10
#define EAP_TLV_PAC_TLV 11 /* draft-cam-winget-eap-fast-01.txt */
#define EAP_TLV_CRYPTO_BINDING_TLV_ 12 /* draft-cam-winget-eap-fast-01.txt
*/

#define EAP_TLV_RESULT_SUCCESS 1
#define EAP_TLV_RESULT_FAILURE 2

#define EAP_TLV_TYPE_MANDATORY 0x80
#define EAP_TLV_TYPE_ACK_RESULT 0x03


typedef struct eap_tlv_uri_packet {
UCHAR TLVType; /* Bit 1: Mandatory Requirement */
/* Bit 2: TLVReserved */
/* Bit 3-16: TLVType */
UCHAR TLVValueLength;
UCHAR TLVValue;
} EAPTLVURIPACKET;

typedef struct eap_tlv_result_packet {
UCHAR TLVPacketType; /* Bit 1: Mandatory Requirement */
/* Bit 2: TLVReserved */
/* Bit 3-16: TLVPacketType */
USHORT TLVStatusLength;
USHORT TLVStatus;
} EAPTLVRESULTPACKET;




In my actual code block that adds the EAP-TLV URI, I have this:


ucTLVValueLength = (UCHAR) strlen(url);
cbDataLength = sizeof(EAPTLVURIPACKET) + (sizeof(UCHAR) * ucTLVValueLength)
+ 1;
sprintf(mesg, "About to malloc %d bytes for EAPTLV Packet.\n",
cbDataLength);
Debug(mesg);
bzero(mesg, 255);
euEAPTLV = RadiusAlloc(cbDataLength);
sprintf(mesg, "Finished malloc.\n");
Debug(mesg);
bzero(mesg, 255);
euEAPTLV->TLVType = EAP_TLV_URI_TLV;
euEAPTLV->TLVValueLength = ucTLVValueLength;
sprintf(mesg, "About to copy %d bytes data into TLVValue location at
%X.\n", strlen(url), &euEAPTLV->TLVValue);
Debug(mesg);
bzero(mesg, 255);
strcpy(&euEAPTLV->TLVValue, url);
sprintf(mesg, "Done copying.\n");
Debug(mesg);
bzero(mesg, 255);
cbDataLength = strlen((const char*)euEAPTLV);
sprintf(mesg, "Length of EAP TLV Packet: %d.\n", cbDataLength);
Debug(mesg);
bzero(mesg, 255);

/* Fill in the RADIUS_ATTRIBUTE struct. */
/*cbDataLength = strlen(url);*/
raEAPTLV.dwAttrType = ratEAPTLV;
raEAPTLV.fDataType = rdtUnknown;
raEAPTLV.cbDataLength = cbDataLength;
raEAPTLV.lpValue = (PCSTR) euEAPTLV;

/* Add as the ratPEAPTLV URI TLV. */
sprintf(mesg, "Replacing first attribute of ratEAPTLV.\n");
Debug(mesg);
bzero(mesg, 255);
dwResult = RadiusReplaceFirstAttribute(pInRespAttrs
, &raEAPTLV);



Then, in RadiusReplaceFirstAttribute:




DWORD
WINAPI
RadiusReplaceFirstAttribute(
PRADIUS_ATTRIBUTE_ARRAY pAttrs,
const RADIUS_ATTRIBUTE* pSrc
)
{
DWORD dwIndex, dwResult;
char mesg[255];
bzero(mesg, 255);

if ((pAttrs == NULL) || (pSrc == NULL))
{
return ERROR_INVALID_PARAMETER;
}

dwIndex = RadiusFindFirstIndex(pAttrs, pSrc->dwAttrType);

if (dwIndex != RADIUS_ATTR_NOT_FOUND)
{
sprintf(mesg, "Attribute found at index %d.\n", dwIndex);
Debug(mesg);
bzero(mesg, 255);
/* It already exists, so overwrite the existing attribute. */
dwResult = pAttrs->SetAt(pAttrs, dwIndex, pSrc);
} else {
sprintf(mesg, "Attribute not found (%d). Adding one (pAttrs := %X; pSrc :=
%X).\n", dwIndex, pAttrs, pSrc);
Debug(mesg);
bzero(mesg, 255);
/* It doesn't exist, so add it to the end of the array. */
dwIndex = pAttrs->GetSize(pAttrs) - 1;
dwResult = pAttrs->InsertAt(pAttrs, dwIndex, pSrc);
}

if(dwResult == E_ACCESSDENIED) {
sprintf(mesg, "Access denied while replacing attribute.\n");
Debug(mesg);
bzero(mesg, 255);
}
if(dwResult == ERROR_INVALID_PARAMETER) {
sprintf(mesg, "Invalid parameter while replacing attribute: index out of
range.\n");
Debug(mesg);
bzero(mesg, 255);
}
if(dwResult == NO_ERROR) {
sprintf(mesg, "Success. Attribute replaced or added.\n");
Debug(mesg);
bzero(mesg, 255);
}
sprintf(mesg, "Done replacing attribute. Returning with result: %d.\n",
dwResult);
Debug(mesg);
bzero(mesg, 255);

return dwResult;
}


Of course, when I try to add the parameter, I get the error 87
(ERROR_INVALID_PARAMETER). I do not get an error in IASSAM.log.






"Washington Moreira" <digisystem@community.nospam> wrote in message
news:OlChE9S9FHA.952@TK2MSFTNGP12.phx.gbl...
Hi Eliot,

First, thank you for your post on my previous thread. At least I'm not alone
with this problem.

Looking for my rastls.log I think that my big problem is the EAPTLV URI
struct format that I have created based on docs from the WPSDeploy.doc and
WPS Protocol description on MSDN (
http://msdn.microsoft.com/library/d...tlv_packets.asp )
As I have explaned in other posts, from WPS Protocol description we have:

PEAP-TLV URI Packet
Fields

MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength Type UCHAR Length of TLVValue field
TLVValue Type UCHAR URI to a master document

From these infromations above we can create a packet struct. But look now to
the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15 October
2004)

________________________________________
_________________________
4.8. URI TLV

The URI TLV allows a server to send a URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.

If a packet contains multiple URI TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

M

0 - Optional TLV

R

Reserved, set to zero (0)

TLV Type

8

Length

>=0

URI

This field is of indefinite length, and conforms to the format
specified in [RFC2396].
________________________________________
________________________________________
______________

As you can see, we have conflicts. Note that the field Length is a 16 bit
value and the mandatory field is zero (non mandatory)

My doubt is how MS have implemented on IAS?

OK. Returning to my rastls.log you will see that my TLV URI packet sent to
the eap dll was discarded because was considered as a invalid attribute.
Below a relevant lines from the log:
________________________________________
_______________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is

6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0
5 2 F C F 5 | d > X . R % . . m . i . . R . . |

C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV

[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
________________________________________
________________________________________
___________________


I hope that we find someone that help us.
Thanks for your attention

Washington Moreira




"Eliot Gable" <support8@greatlakes.net> wrote in message
news:1133294445_42627@spool6-east.superfeed.net...
>I am trying to write an extension DLL for IAS that does the WPS guest
> authentication. I have it successfully registering itself, grabbing
> packets,
> testing cases, selectively converting Access-Reject packets to
> Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet
> to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or
> how
> I can modify them inside a call to the RadiusExtensionProcess2 function.
> Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----



----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
Washington Moreira

2005-11-30, 2:50 am

Very thanks Eliot.
Thanks for your comments about my struct. I'm 54 years old and sometimes my
mind fails, and for many years I have not used one packet structure. My
wrong packed struct would be correct for an old 16 bit environment.
Excuse-me if I'm an idiot asking about your struct layout:
I need 16 bits to define the first three fields, but you are using an UCHAR
data type encompassing these 16 bits. Is this correct?

Please look below to these few code lines writed for an Unix Like
environment (from
http://hostap.epitest.fi/wpa_suppli...ap__tlv_8h.html)( from header
file):

00048 struct eap_tlv_result_tlv {
00049 u16 tlv_type;
00050 u16 length;
00051 u16 status;
00052 } __attribute__((packed));

And from C source file (from
http://hostap.epitest.fi/wpa_suppli...ap__tlv_8c.html) Note that
the function below constructs the complete EAP response including the TLV
packet:

00058 u8 * eap_tlv_build_result(int id, u16 status, size_t *resp_len)
00059 {
00060 struct eap_hdr *hdr;
00061 u8 *pos;
00062
00063 *resp_len = sizeof(struct eap_hdr) + 1 + 6;
00064 hdr = malloc(*resp_len);00065 if (hdr == NULL)
00066 return NULL;
00067
00068 hdr->code = EAP_CODE_RESPONSE;
00069 hdr->identifier = id;
00070 hdr->length = host_to_be16(*resp_len);
00071 pos = (u8 *) (hdr + 1);
00072 *pos++ = EAP_TYPE_TLV;
00073 *pos++ = 0x80; /* Mandatory */
00074 *pos++ = EAP_TLV_RESULT_TLV;
00075 /* Length */
00076 *pos++ = 0;
00077 *pos++ = 2;
00078 /* Status */
00079 WPA_PUT_BE16(pos, status);
00080
00081 return (u8 *) hdr;
00082 }


If I'm not wrong, looking above, there is two bytes for the first three
fields(not declared in this way), more two bytes to define the length of the
value. In this case the status is a two bytes value.

If 16 bits is correct to define the first three fields, rewriting my packed
struct woul be:

typedef struct _PEAPTLV_URI{
WORD TLVType : 14;
//bit fields from position 0 - 13
WORD TLVReserved : 1;
//bit field position 14
WORD TLVMandatory : 1; //bit
field position 15 closing the first two bytes
UCHAR TLVValueLength; //Here
the big doubt, IETF docs ponts this as a 16 bits
UCHAR TLVValue[UNLEN];
}PEAPTLV_URI, *pPEAPTLV_URI;

(note the bit fields declared from right (low order) to the left (high
order) In this way I don't need to use bitwise operators.

Please I'm waiting your comments. Perhaps, exchanging our tests and
informations we can solve our problems.

Thanks
Washington Moreira



"Eliot Gable" <support8@greatlakes.net> wrote in message
news:1133306452_43599@spool6-east.superfeed.net...
> This is what I have based on the WPS Deployment documentation on the
> structure of the EAP packets:
>
> #define EAP_TLV_RESULT_TLV 3 /* Acknowledged Result */
> #define EAP_TLV_NAK_TLV 4
> #define EAP_TLV_CRYPTO_BINDING_TLV 5
> #define EAP_TLV_CONNECTION_BINDING_TLV 6
> #define EAP_TLV_VENDOR_SPECIFIC_TLV 7
> #define EAP_TLV_URI_TLV 8
> #define EAP_TLV_EAP_PAYLOAD_TLV 9
> #define EAP_TLV_INTERMEDIATE_RESULT_TLV 10
> #define EAP_TLV_PAC_TLV 11 /* draft-cam-winget-eap-fast-01.txt */
> #define EAP_TLV_CRYPTO_BINDING_TLV_ 12 /* draft-cam-winget-eap-fast-01.txt
> */
>
> #define EAP_TLV_RESULT_SUCCESS 1
> #define EAP_TLV_RESULT_FAILURE 2
>
> #define EAP_TLV_TYPE_MANDATORY 0x80
> #define EAP_TLV_TYPE_ACK_RESULT 0x03
>
>
> typedef struct eap_tlv_uri_packet {
> UCHAR TLVType; /* Bit 1: Mandatory Requirement */
> /* Bit 2: TLVReserved */
> /* Bit 3-16: TLVType */
> UCHAR TLVValueLength;
> UCHAR TLVValue;
> } EAPTLVURIPACKET;
>
> typedef struct eap_tlv_result_packet {
> UCHAR TLVPacketType; /* Bit 1: Mandatory Requirement */
> /* Bit 2: TLVReserved */
> /* Bit 3-16: TLVPacketType */
> USHORT TLVStatusLength;
> USHORT TLVStatus;
> } EAPTLVRESULTPACKET;
>
>
>
>
> In my actual code block that adds the EAP-TLV URI, I have this:
>
>
> ucTLVValueLength = (UCHAR) strlen(url);
> cbDataLength = sizeof(EAPTLVURIPACKET) + (sizeof(UCHAR) *
> ucTLVValueLength) + 1;
> sprintf(mesg, "About to malloc %d bytes for EAPTLV Packet.\n",
> cbDataLength);
> Debug(mesg);
> bzero(mesg, 255);
> euEAPTLV = RadiusAlloc(cbDataLength);
> sprintf(mesg, "Finished malloc.\n");
> Debug(mesg);
> bzero(mesg, 255);
> euEAPTLV->TLVType = EAP_TLV_URI_TLV;
> euEAPTLV->TLVValueLength = ucTLVValueLength;
> sprintf(mesg, "About to copy %d bytes data into TLVValue location at
> %X.\n", strlen(url), &euEAPTLV->TLVValue);
> Debug(mesg);
> bzero(mesg, 255);
> strcpy(&euEAPTLV->TLVValue, url);
> sprintf(mesg, "Done copying.\n");
> Debug(mesg);
> bzero(mesg, 255);
> cbDataLength = strlen((const char*)euEAPTLV);
> sprintf(mesg, "Length of EAP TLV Packet: %d.\n", cbDataLength);
> Debug(mesg);
> bzero(mesg, 255);
>
> /* Fill in the RADIUS_ATTRIBUTE struct. */
> /*cbDataLength = strlen(url);*/
> raEAPTLV.dwAttrType = ratEAPTLV;
> raEAPTLV.fDataType = rdtUnknown;
> raEAPTLV.cbDataLength = cbDataLength;
> raEAPTLV.lpValue = (PCSTR) euEAPTLV;
>
> /* Add as the ratPEAPTLV URI TLV. */
> sprintf(mesg, "Replacing first attribute of ratEAPTLV.\n");
> Debug(mesg);
> bzero(mesg, 255);
> dwResult = RadiusReplaceFirstAttribute(pInRespAttrs
, &raEAPTLV);
>
>
>
> Then, in RadiusReplaceFirstAttribute:
>
>
>
>
> DWORD
> WINAPI
> RadiusReplaceFirstAttribute(
> PRADIUS_ATTRIBUTE_ARRAY pAttrs,
> const RADIUS_ATTRIBUTE* pSrc
> )
> {
> DWORD dwIndex, dwResult;
> char mesg[255];
> bzero(mesg, 255);
>
> if ((pAttrs == NULL) || (pSrc == NULL))
> {
> return ERROR_INVALID_PARAMETER;
> }
>
> dwIndex = RadiusFindFirstIndex(pAttrs, pSrc->dwAttrType);
>
> if (dwIndex != RADIUS_ATTR_NOT_FOUND)
> {
> sprintf(mesg, "Attribute found at index %d.\n", dwIndex);
> Debug(mesg);
> bzero(mesg, 255);
> /* It already exists, so overwrite the existing attribute. */
> dwResult = pAttrs->SetAt(pAttrs, dwIndex, pSrc);
> } else {
> sprintf(mesg, "Attribute not found (%d). Adding one (pAttrs := %X; pSrc
> := %X).\n", dwIndex, pAttrs, pSrc);
> Debug(mesg);
> bzero(mesg, 255);
> /* It doesn't exist, so add it to the end of the array. */
> dwIndex = pAttrs->GetSize(pAttrs) - 1;
> dwResult = pAttrs->InsertAt(pAttrs, dwIndex, pSrc);
> }
>
> if(dwResult == E_ACCESSDENIED) {
> sprintf(mesg, "Access denied while replacing attribute.\n");
> Debug(mesg);
> bzero(mesg, 255);
> }
> if(dwResult == ERROR_INVALID_PARAMETER) {
> sprintf(mesg, "Invalid parameter while replacing attribute: index out of
> range.\n");
> Debug(mesg);
> bzero(mesg, 255);
> }
> if(dwResult == NO_ERROR) {
> sprintf(mesg, "Success. Attribute replaced or added.\n");
> Debug(mesg);
> bzero(mesg, 255);
> }
> sprintf(mesg, "Done replacing attribute. Returning with result: %d.\n",
> dwResult);
> Debug(mesg);
> bzero(mesg, 255);
>
> return dwResult;
> }
>
>
> Of course, when I try to add the parameter, I get the error 87
> (ERROR_INVALID_PARAMETER). I do not get an error in IASSAM.log.
>
>
>
>
>
>
> "Washington Moreira" <digisystem@community.nospam> wrote in message
> news:OlChE9S9FHA.952@TK2MSFTNGP12.phx.gbl...
> Hi Eliot,
>
> First, thank you for your post on my previous thread. At least I'm not
> alone with this problem.
>
> Looking for my rastls.log I think that my big problem is the EAPTLV URI
> struct format that I have created based on docs from the WPSDeploy.doc and
> WPS Protocol description on MSDN (
> http://msdn.microsoft.com/library/d...tlv_packets.asp )
> As I have explaned in other posts, from WPS Protocol description we have:
>
> PEAP-TLV URI Packet
> Fields
>
> MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
> TLVReserved Type Binary(1 bit) set to 0
> TLVType Type Binary(14 bits) set to 8
> TLVValueLength Type UCHAR Length of TLVValue field
> TLVValue Type UCHAR URI to a master document
>
> From these infromations above we can create a packet struct. But look now
> to the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15
> October 2004)
>
> ________________________________________
_________________________
> 4.8. URI TLV
>
> The URI TLV allows a server to send a URI to the client to refer it
> to a resource. The TLV contains a URI in the format specified in
> RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
> is outside the scope of this document.
>
> If a packet contains multiple URI TLVs, then the client SHOULD select
> the first TLV it can implement, and ignore the others. If the client
> is unable to implement any of the URI TLVs, then it MAY ignore the
> error. PEAP implementations MAY support this TLV; and this TLV
> cannot be responded to with a NAK TLV. The URI TLV is defined as
> follows:
>
> 0 1 2 3
> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> |M|R| TLV Type | Length |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> | URI...
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> M
>
> 0 - Optional TLV
>
> R
>
> Reserved, set to zero (0)
>
> TLV Type
>
> 8
>
> Length
>
>
> URI
>
> This field is of indefinite length, and conforms to the format
> specified in [RFC2396].
> ________________________________________
________________________________________
______________
>
> As you can see, we have conflicts. Note that the field Length is a 16 bit
> value and the mandatory field is zero (non mandatory)
>
> My doubt is how MS have implemented on IAS?
>
> OK. Returning to my rastls.log you will see that my TLV URI packet sent to
> the eap dll was discarded because was considered as a invalid attribute.
> Below a relevant lines from the log:
> ________________________________________
_______________________________________
> [1912] 16:47:40:703: EapTlsBegin()
> [1912] 16:47:40:703: SetupMachineChangeNotification
> [1912] 16:47:40:703: State change to Initial
> [1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
> [1912] 16:47:40:703: MaxTLSMessageLength is now 16384
> [1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
> [1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
> [1912] 16:47:40:703: The root cert will not be checked for revocation
> [1912] 16:47:40:703: The cert will be checked for revocation
> [1912] 16:47:40:703: EapPeapBegin done
> [1912] 16:47:40:703: EapPeapMakeMessage
> [1912] 16:47:40:703: EapPeapSMakeMessage
> [1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
> [1912] 16:47:40:703: EapTlsSMakeMessage
> [1912] 16:47:40:703: EapTlsReset
> [1912] 16:47:40:703: State change to Initial
> [1912] 16:47:40:703: GetCredentials
> [1912] 16:47:40:703: Flag is Server and Store is local Machine
> [1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
> [1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
> [1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache
> is
>
> 6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D
> 0 5 2 F C F 5 | d > X . R % . . m . i . . R . . |
>
> C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
> 0 0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
> [1912] 16:47:40:703: BuildPacket
> [1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length:
> 6, Type: 13, TLS blob length: 0. Flags: S
> [1912] 16:47:40:703: State change to SentStart
> [1912] 16:47:40:703: EapPeapSMakeMessage done
> [1912] 16:47:40:703: EapPeapMakeMessage done
> [1912] 16:47:40:703: EapPeapMakeMessage
> [1912] 16:47:40:703: EapPeapSMakeMessage
> [1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV

> [1912] 16:47:40:703: Received invalid attributes from application.
> [1912] 16:47:40:703: EapPeapSMakeMessage done
> [1912] 16:47:40:703: EapPeapMakeMessage done
> [1912] 16:47:40:703: EapPeapEnd
> [1912] 16:47:40:703: EapTlsEnd
> [1912] 16:47:40:703: EapTlsEnd()
> [1912] 16:47:40:703: EapPeapEnd done
> ________________________________________
________________________________________
___________________
>
>
> I hope that we find someone that help us.
> Thanks for your attention
>
> Washington Moreira
>
>
>
>
> "Eliot Gable" <support8@greatlakes.net> wrote in message
> news:1133294445_42627@spool6-east.superfeed.net...
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----


Eliot Gable

2005-11-30, 5:54 pm

You're right; we're both loosing our minds. That should be a u16 for the
first one. Although, the second two, according to the WPS Deployment
document, should be UCHAR data types. Now, it actually specifies BINARY data
type for the first 3, but I don't know how it would know what the length of
the BINARY value is in binary digits if we just put a binary number in it.
Also, I do not know if this is even a valid type in C for Microsoft. I am
trying to find that out right now. But it certainly isn't a type in ISO C.
It may be implemented as a class in C++, but I'm not that familiar with
Windows programming, so I'm kind of learning the Windows specific stuff as I
go.

"Washington Moreira" <digisystem@community.nospam> wrote in message
news:uvUahkW9FHA.3760@TK2MSFTNGP14.phx.gbl...
> Very thanks Eliot.
> Thanks for your comments about my struct. I'm 54 years old and sometimes
> my mind fails, and for many years I have not used one packet structure. My
> wrong packed struct would be correct for an old 16 bit environment.
> Excuse-me if I'm an idiot asking about your struct layout:
> I need 16 bits to define the first three fields, but you are using an
> UCHAR data type encompassing these 16 bits. Is this correct?
>
> Please look below to these few code lines writed for an Unix Like
> environment (from
> http://hostap.epitest.fi/wpa_suppli...ap__tlv_8h.html)( from
> header file):
>
> 00048 struct eap_tlv_result_tlv {
> 00049 u16 tlv_type;
> 00050 u16 length;
> 00051 u16 status;
> 00052 } __attribute__((packed));
>
> And from C source file (from
> http://hostap.epitest.fi/wpa_suppli...ap__tlv_8c.html) Note that
> the function below constructs the complete EAP response including the TLV
> packet:
>
> 00058 u8 * eap_tlv_build_result(int id, u16 status, size_t *resp_len)
> 00059 {
> 00060 struct eap_hdr *hdr;
> 00061 u8 *pos;
> 00062
> 00063 *resp_len = sizeof(struct eap_hdr) + 1 + 6;
> 00064 hdr = malloc(*resp_len);00065 if (hdr == NULL)
> 00066 return NULL;
> 00067
> 00068 hdr->code = EAP_CODE_RESPONSE;
> 00069 hdr->identifier = id;
> 00070 hdr->length = host_to_be16(*resp_len);
> 00071 pos = (u8 *) (hdr + 1);
> 00072 *pos++ = EAP_TYPE_TLV;
> 00073 *pos++ = 0x80; /* Mandatory */
> 00074 *pos++ = EAP_TLV_RESULT_TLV;
> 00075 /* Length */
> 00076 *pos++ = 0;
> 00077 *pos++ = 2;
> 00078 /* Status */
> 00079 WPA_PUT_BE16(pos, status);
> 00080
> 00081 return (u8 *) hdr;
> 00082 }
>
>
> If I'm not wrong, looking above, there is two bytes for the first three
> fields(not declared in this way), more two bytes to define the length of
> the value. In this case the status is a two bytes value.
>
> If 16 bits is correct to define the first three fields, rewriting my
> packed struct woul be:
>
> typedef struct _PEAPTLV_URI{
> WORD TLVType : 14;
> //bit fields from position 0 - 13
> WORD TLVReserved : 1; //bit
> field position 14
> WORD TLVMandatory : 1; //bit
> field position 15 closing the first two bytes
> UCHAR TLVValueLength;
> //Here the big doubt, IETF docs ponts this as a 16 bits
> UCHAR TLVValue[UNLEN];
> }PEAPTLV_URI, *pPEAPTLV_URI;
>
> (note the bit fields declared from right (low order) to the left (high
> order) In this way I don't need to use bitwise operators.
>
> Please I'm waiting your comments. Perhaps, exchanging our tests and
> informations we can solve our problems.
>
> Thanks
> Washington Moreira
>
>
>
> "Eliot Gable" <support8@greatlakes.net> wrote in message
> news:1133306452_43599@spool6-east.superfeed.net...
>
>


Eliot Gable

2005-11-30, 5:54 pm

Ok, as near as I can tell, there is no BINARY data type in Microsoft's
implementation of C. So, that means we need a USHORT for the first field in
the packet, followed by two UCHARs. In the Result packets, there should be
three USHORTs instead of one UCHAR and two USHORTs.

Unfortunately, I won't be able to test the new packet structure until
tomorrow. But, I surmise that we will still get the same error, as I do not
believe the error code 87 has anything to do with the structure of the data
(but I could be wrong on this point).

Also, on my way home yesterday, I made a realization: the documents I've
read state that the EAP attributes are in an array terminated by a
raatMinimum entry. That means, if we want to add one value, we actually need
to add two. The first one is an EAP-TLV URI entry and the second is a
raatMinimum entry to denote the end of the array. Therefore, my code should
actually malloc enough space for the EAP-TLV URI with the URL in it plus
enough space for a raatMinimum entry to terminate the array. It should all
be one contiguous block of memory and the lpValue should point to the
beginning of that block of allocated memory.

This is all assuming I have correctly understood what I've read. The
documents are not very specific and don't offer any examples.


"Eliot Gable" <support8@greatlakes.net> wrote in message
news:F66dnfaCcvFqKRDeRVn-jg@comcast.com...
> You're right; we're both loosing our minds. That should be a u16 for the
> first one. Although, the second two, according to the WPS Deployment
> document, should be UCHAR data types. Now, it actually specifies BINARY
> data type for the first 3, but I don't know how it would know what the
> length of the BINARY value is in binary digits if we just put a binary
> number in it. Also, I do not know if this is even a valid type in C for
> Microsoft. I am trying to find that out right now. But it certainly isn't
> a type in ISO C. It may be implemented as a class in C++, but I'm not that
> familiar with Windows programming, so I'm kind of learning the Windows
> specific stuff as I go.
>
> "Washington Moreira" <digisystem@community.nospam> wrote in message
> news:uvUahkW9FHA.3760@TK2MSFTNGP14.phx.gbl...
>
>


Eliot Gable

2005-11-30, 5:54 pm

Thanks! I had no idea you could do that. That is a big help! Has this
construct been in C/C++ for a long time? I haven't programmed much in C/C++
for over 5 years. Did it come out in the past 5 years, or was it in there
before that?

So, yes, the struct you posted in microsoft.public.win32.programmer.network
s looks correct based on this new information.

"Washington Moreira" <digisystem@community.nospam> wrote in message
news:egNkWSc9FHA.2176@TK2MSFTNGP14.phx.gbl...
> Hi Eliot,
> Please check this link for C:
> http://msdn.microsoft.com/library/d...tm/decla_17.asp
>
> And other for C++ but the MS C compiler understand in the same way:
> http://msdn.microsoft.com/library/d....bit_fields.asp
>
> Thanks
>
> Washington Moreira
>
>
> "Eliot Gable" <support8@greatlakes.net> wrote in message
> news:3N-dndTszq2BXxDeRVn-ow@comcast.com...
>
>


Tom Eirik Jensen

2005-11-30, 5:54 pm

Thank you for your kindnes, I think I have to use more time on this to understand what you are doing, both. I am so nuts. It's long time since I have programmed, maybe 10 years, when I study elektronics. I am only a 33 years Norwegian, but I have to refresh my programmingtecniq anyway.

But I'am working with it, and I am getting to find out how it works, as I allways do.

I am also working with a web that uses ASP to make an useraccount. But I only have it in my mind. Using vbscript.

seeyou.. all.., I'll be back..soon.
"Washington Moreira" <digisystem@community.nospam> skrev i melding news:OJbVobc9FHA.4036@TK2MSFTNGP11.phx.gbl...
I'm also with an active thread on microsoft.public.win32.programmer.networks with the subject "Wireless Provisioning Services and IAS Authorization DLL" there is some new informations.

Washington Moreira




"Eliot Gable" <support8@greatlakes.net> wrote in message news:3N-dndTszq2BXxDeRVn-ow@comcast.com...
> Ok, as near as I can tell, there is no BINARY data type in Microsoft's
> implementation of C. So, that means we need a USHORT for the first field in
> the packet, followed by two UCHARs. In the Result packets, there should be
> three USHORTs instead of one UCHAR and two USHORTs.
>
> Unfortunately, I won't be able to test the new packet structure until
> tomorrow. But, I surmise that we will still get the same error, as I do not
> believe the error code 87 has anything to do with the structure of the data
> (but I could be wrong on this point).
>
> Also, on my way home yesterday, I made a realization: the documents I've
> read state that the EAP attributes are in an array terminated by a
> raatMinimum entry. That means, if we want to add one value, we actually need
> to add two. The first one is an EAP-TLV URI entry and the second is a
> raatMinimum entry to denote the end of the array. Therefore, my code should
> actually malloc enough space for the EAP-TLV URI with the URL in it plus
> enough space for a raatMinimum entry to terminate the array. It should all
> be one contiguous block of memory and the lpValue should point to the
> beginning of that block of allocated memory.
>
> This is all assuming I have correctly understood what I've read. The
> documents are not very specific and don't offer any examples.
>
>
> "Eliot Gable" <support8@greatlakes.net> wrote in message
> news:F66dnfaCcvFqKRDeRVn-jg@comcast.com...
>
>
Washington Moreira

2005-11-30, 5:54 pm

Hi Eliot,
Yes this is there from a long time.
The great difference is that on MS C/C++ Compiler, the bit order is from the
low order bits to the high order bits. On traditonal C language this is from
high order to the low order, as you can found in the famous book "Practical
C" writed by Steve Oualline (O'Reilly & Associates, Inc - July 1991/January
1993/August 1997 - Three Editions at all.)

By the the way, the raatMinimum is an attribute from
RAS_AUTH_ATTRIBUTE_TYPE and this is territory of EAP interface.
I don't know how to by-pass the flow process to indicate to IAS that I have
two attributes on one unique insert operation. Perhaps indicating to
cbDatalength one value that is the sum of the two attributes. I hope that
you have success, and report me please. I will report to you any progress on
my fight results.

Washington Moreira

"Eliot Gable" <support8@greatlakes.net> wrote in message
news:xcCdnX0Q_vSzSxDenZ2dnUVZ_tKdnZ2d@co
mcast.com...
> Thanks! I had no idea you could do that. That is a big help! Has this
> construct been in C/C++ for a long time? I haven't programmed much in
> C/C++ for over 5 years. Did it come out in the past 5 years, or was it in
> there before that?
>
> So, yes, the struct you posted in
> microsoft.public.win32.programmer.network s looks correct based on this
> new information.
>
> "Washington Moreira" <digisystem@community.nospam> wrote in message
> news:egNkWSc9FHA.2176@TK2MSFTNGP14.phx.gbl...
>
>


Washington Moreira

2005-12-01, 8:55 pm

Hi Eliot,

I'm changing this post index because the indentation.
I received a information from James McIllece that have asked WPS team about
the field TLVValueLength and this should be a 16 bits field. So we need to
declare as a WORD/u_short or something like. But we need to be aware that
this value is a big-endian format.
That is, network byte order.

Other things that I have observed are two Radius Attributes codes 79 and 80
that are not enumerated on the header file. These two attributes means the
EAP message packet(79) and EAP message authenticator(80).
The Attribute 79 can have many formats but the first five bytes are standard
on all types

Here is what means these first five bytes:

Byte 1 - EAP code can be 1 = Request; 2 = Response; 3 Success; 4 Failure
Byte 2 - ID shoud match Request/Response
(bytes 3 and 4) - Total length of the EAP message (including EAP code, ID,
TLVs and etc)(big-endian format)
Byte 5 - The EAP type. I think that this byte is very important, because
here is the information about the current phase type. When this byte is 1
means that the system is asking "who are you?" and when this byte changes to
value 25 means that PEAP is in place.
Another value can be 3 that means an acknowledged but ending the process
with an accept or reject. If this value ends as 13 means that you have a
client with "Smart card or other Certificate" authentication type. (there
are many other values for this field)

Now I'm thinking if we can inject a PEAP-TLV packet before the EAPType of
the attribute 79 (that I named as EAPMessage) have been changed to value
25(PEAP) .

Well, more questions...........

I hope that other members help us here.

Best Regards

Washington Moreira

By the way - The attribute 79 is allways present on all conversations if the
peer is a wireless client.









egable@gmail.com

2005-12-05, 5:58 pm

I have solved the problem!

First, the documentation is incorrect on many issues.

1) The Mandatory field must be set to 0, not 1.
2) The size of the TLVValueLength field is 16 bits (2 bytes) not UCHAR
(1 byte).
3) The EAP-TLV Status message is in the Access-Request attributes [ie
pECB->GetRequest(pECB)], not the response attributes [ie
pECB->GetResponse(pECB, rcAccessChallenge)].
4) To modify the success message in place, you should set
pAttr->lpValue[5] = 1
5) The lpValue attribute is a constant and you cannot do #4. You must
create a non-const pointer to the lpValue to modify it: char* data =
(char*)pAttr->lpValue; data[5] = 1
6) The Reject-Reason code is not part of an Access-Reject packet. It is
in the _request_ attributes inside the packet that contains the EAP-TLV
Status message.

Once those are straightened out, you can move forward. The next step is
that, instead of creating a structure for the packet with a static
length on the URL, you will need a dynamic length. So, just do this:

pInRespAttrs = pECB->GetResponse(pECB, rcAccessChallenge);
ucTLVValueLength = (UCHAR) strlen(url);
euEAPTLV = RadiusAlloc(4 + ucTLVValueLength);
ZeroMemory(euEAPTLV, 4+ucTLVValueLength);
euEAPTLV[0] = 0;
euEAPTLV[1] = 8;
euEAPTLV[2] = 0;
euEAPTLV[3] = ucTLVValueLength;
strcpy(&euEAPTLV[4], url);

/* Fill in the RADIUS_ATTRIBUTE struct. */
raEAPTLV.dwAttrType = ratEAPTLV;
raEAPTLV.fDataType = rdtString;
raEAPTLV.cbDataLength = 4+ucTLVValueLength;
raEAPTLV.lpValue = (PCSTR) euEAPTLV;

/* Add as the ratPEAPTLV URI TLV. */
dwIndex = pInRespAttrs->GetSize(pInRespAttrs) - 1;
pInRespAttrs->InsertAt(pInRespAttrs, dwIndex, &raEAPTLV);


Enjoy!

Washington Moreira

2005-12-06, 6:02 pm

Thank you Eliot
I have now my DLL working.

Now the problem is when a user try to logon with as domain\username and that
domain is not recognized by IAS.
IAS never accept, never reject, never send the PEAP-TLV RESULT.
I'm now working on a way to force IAS reject on Authentication phase so the
expected attributes can appears on Authorization phase
This problem occurs when the user associates the SSID manually or changes
some settings.

I think that I need to change the domain name part to one that IAS could
execute a LDAP request.

Very thanks again for your colaboration on my project.

Washington Moreira



<egable@gmail.com> wrote in message
news:1133815237.432016.199330@g43g2000cwa.googlegroups.com...
>I have solved the problem!
>
> First, the documentation is incorrect on many issues.
>
> 1) The Mandatory field must be set to 0, not 1.
> 2) The size of the TLVValueLength field is 16 bits (2 bytes) not UCHAR
> (1 byte).
> 3) The EAP-TLV Status message is in the Access-Request attributes [ie
> pECB->GetRequest(pECB)], not the response attributes [ie
> pECB->GetResponse(pECB, rcAccessChallenge)].
> 4) To modify the success message in place, you should set
> pAttr->lpValue[5] = 1
> 5) The lpValue attribute is a constant and you cannot do #4. You must
> create a non-const pointer to the lpValue to modify it: char* data =
> (char*)pAttr->lpValue; data[5] = 1
> 6) The Reject-Reason code is not part of an Access-Reject packet. It is
> in the _request_ attributes inside the packet that contains the EAP-TLV
> Status message.
>
> Once those are straightened out, you can move forward. The next step is
> that, instead of creating a structure for the packet with a static
> length on the URL, you will need a dynamic length. So, just do this:
>
> pInRespAttrs = pECB->GetResponse(pECB, rcAccessChallenge);
> ucTLVValueLength = (UCHAR) strlen(url);
> euEAPTLV = RadiusAlloc(4 + ucTLVValueLength);
> ZeroMemory(euEAPTLV, 4+ucTLVValueLength);
> euEAPTLV[0] = 0;
> euEAPTLV[1] = 8;
> euEAPTLV[2] = 0;
> euEAPTLV[3] = ucTLVValueLength;
> strcpy(&euEAPTLV[4], url);
>
> /* Fill in the RADIUS_ATTRIBUTE struct. */
> raEAPTLV.dwAttrType = ratEAPTLV;
> raEAPTLV.fDataType = rdtString;
> raEAPTLV.cbDataLength = 4+ucTLVValueLength;
> raEAPTLV.lpValue = (PCSTR) euEAPTLV;
>
> /* Add as the ratPEAPTLV URI TLV. */
> dwIndex = pInRespAttrs->GetSize(pInRespAttrs) - 1;
> pInRespAttrs->InsertAt(pInRespAttrs, dwIndex, &raEAPTLV);
>
>
> Enjoy!
>


Wei Zheng [MSFT]

2005-12-12, 8:50 pm

Hi,

The spec
http://msdn.microsoft.com/library/d...tlv_packets.asp
is wrong on that flag. The mandatory flag should be 0 for URI TLV.

Our implementation is correct, just the documentation is wrong. A bug has
been filed on the documentation and we are in the process of fixing the
documentation.

Sorry for the inconvenience. Please let me know if I can be of further help.
Wei


--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.

Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"Washington Moreira" <digisystem@community.nospam> wrote in message
news:OlChE9S9FHA.952@TK2MSFTNGP12.phx.gbl...
Hi Eliot,

First, thank you for your post on my previous thread. At least I'm not alone
with this problem.

Looking for my rastls.log I think that my big problem is the EAPTLV URI
struct format that I have created based on docs from the WPSDeploy.doc and
WPS Protocol description on MSDN (
http://msdn.microsoft.com/library/d...tlv_packets.asp )
As I have explaned in other posts, from WPS Protocol description we have:

PEAP-TLV URI Packet
Fields

MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength Type UCHAR Length of TLVValue field
TLVValue Type UCHAR URI to a master document

From these infromations above we can create a packet struct. But look now to
the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15 October
2004)

________________________________________
_________________________
4.8. URI TLV

The URI TLV allows a server to send a URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.

If a packet contains multiple URI TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

M

0 - Optional TLV

R

Reserved, set to zero (0)

TLV Type

8

Length

>=0

URI

This field is of indefinite length, and conforms to the format
specified in [RFC2396].
________________________________________
________________________________________
______________

As you can see, we have conflicts. Note that the field Length is a 16 bit
value and the mandatory field is zero (non mandatory)

My doubt is how MS have implemented on IAS?

OK. Returning to my rastls.log you will see that my TLV URI packet sent to
the eap dll was discarded because was considered as a invalid attribute.
Below a relevant lines from the log:
________________________________________
_______________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is

6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0
5 2 F C F 5 | d > X . R % . . m . i . . R . . |

C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV

[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
________________________________________
________________________________________
___________________


I hope that we find someone that help us.
Thanks for your attention

Washington Moreira




"Eliot Gable" <support8@greatlakes.net> wrote in message
news:1133294445_42627@spool6-east.superfeed.net...
>I am trying to write an extension DLL for IAS that does the WPS guest
> authentication. I have it successfully registering itself, grabbing
> packets,
> testing cases, selectively converting Access-Reject packets to
> Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet
> to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or
> how
> I can modify them inside a call to the RadiusExtensionProcess2 function.
> Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via webservertalk.com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.webservertalk.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----


egable@gmail.com

2006-01-04, 2:56 am

I have a nice website up now that summarizes writing the WPS Extension
DLL for IAS. You can go here to read it:

http://eliot.kayandee.net/wps.php

Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com