Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- From: "Washington Moreira" <digisystem@xxxxxxxxxxxxxxxx>
- Date: Tue, 29 Nov 2005 19:53:03 -0200
Hi Eliot,
First, thank you for your post on my previous
thread. At least I'm not alone with this problem.
Looking for my rastls.log I think that my big
problem is the EAPTLV URI struct format that I have created based on
docs from the WPSDeploy.doc and WPS Protocol description on MSDN
( http://msdn.microsoft.com/library/default.asp?url=""> )
As I have explaned in other posts, from
WPS Protocol description we have:
PEAP-TLV URI Packet
Fields
Fields
MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength
Type UCHAR Length of TLVValue
field
TLVValue Type UCHAR URI to a master document
TLVValue Type UCHAR URI to a master document
From these infromations above we can create a
packet struct. But look now to the informations from
draft-josefsson-pppext-eap-tls-eap-10.txt (15 October 2004)
_________________________________________________________________
4.8. URI TLV
The URI TLV allows a server to send a
URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.
If a packet contains multiple URI
TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI
TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
0 - Optional TLV
R
Reserved, set to zero (0)
TLV Type
8
Length
>=0
URI
This field is of indefinite length, and
conforms to the format
specified in [RFC2396].
______________________________________________________________________________________________
specified in [RFC2396].
______________________________________________________________________________________________
As you can see, we have conflicts. Note that the field Length is a 16 bit
value and the mandatory field is zero (non mandatory)
My doubt is how MS have implemented on IAS?
OK. Returning to my rastls.log you will see that my TLV URI packet sent to
the eap dll was discarded because was considered as a invalid attribute. Below a
relevant lines from the log:
_______________________________________________________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is
6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0 5 2 F C F 5 | d > X . R % . . m . i . . R . . |
C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is
6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0 5 2 F C F 5 | d > X . R % . . m . i . . R . . |
C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
___________________________________________________________________________________________________
I hope that we find someone that help
us.
Thanks for your attention
Washington Moreira
"Eliot Gable" <support8@xxxxxxxxxxxxxx> wrote in
message news:1133294445_42627@xxxxxxxxxxxxxxxxxxxxxxxxx...
>I am trying to
write an extension DLL for IAS that does the WPS guest > authentication. I have it successfully registering itself, grabbing packets,
> testing cases, selectively converting Access-Reject packets to Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or how
> I can modify them inside a call to the RadiusExtensionProcess2 function. Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
- Follow-Ups:
- Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- From: Eliot Gable
- Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- From: Eliot Gable
- Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- References:
- IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- From: Eliot Gable
- IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Prev by Date: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Next by Date: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Previous by thread: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Next by thread: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Index(es):
Relevant Pages
|
