Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- From: "Wei Zheng [MSFT]" <weizheng@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 16:08:12 -0800
Hi,
The spec
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/peap-tlv_packets.asp
is wrong on that flag. The mandatory flag should be 0 for URI TLV.
Our implementation is correct, just the documentation is wrong. A bug has
been filed on the documentation and we are in the process of fixing the
documentation.
Sorry for the inconvenience. Please let me know if I can be of further help.
Wei
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.
Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"Washington Moreira" <digisystem@xxxxxxxxxxxxxxxx> wrote in message
news:OlChE9S9FHA.952@xxxxxxxxxxxxxxxxxxxxxxx
Hi Eliot,
First, thank you for your post on my previous thread. At least I'm not alone
with this problem.
Looking for my rastls.log I think that my big problem is the EAPTLV URI
struct format that I have created based on docs from the WPSDeploy.doc and
WPS Protocol description on MSDN (
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/peap-tlv_packets.asp )
As I have explaned in other posts, from WPS Protocol description we have:
PEAP-TLV URI Packet
Fields
MandatoryRequirement Type Binary(1 bit) Mandatory TLV set to 1
TLVReserved Type Binary(1 bit) set to 0
TLVType Type Binary(14 bits) set to 8
TLVValueLength Type UCHAR Length of TLVValue field
TLVValue Type UCHAR URI to a master document
>From these infromations above we can create a packet struct. But look now to
the informations from draft-josefsson-pppext-eap-tls-eap-10.txt (15 October
2004)
_________________________________________________________________
4.8. URI TLV
The URI TLV allows a server to send a URI to the client to refer it
to a resource. The TLV contains a URI in the format specified in
RFC2396 with UTF-8 encoding. Interpretation of the value of the URI
is outside the scope of this document.
If a packet contains multiple URI TLVs, then the client SHOULD select
the first TLV it can implement, and ignore the others. If the client
is unable to implement any of the URI TLVs, then it MAY ignore the
error. PEAP implementations MAY support this TLV; and this TLV
cannot be responded to with a NAK TLV. The URI TLV is defined as
follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|M|R| TLV Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| URI...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
M
0 - Optional TLV
R
Reserved, set to zero (0)
TLV Type
8
Length
>=0
URI
This field is of indefinite length, and conforms to the format
specified in [RFC2396].
______________________________________________________________________________________________
As you can see, we have conflicts. Note that the field Length is a 16 bit
value and the mandatory field is zero (non mandatory)
My doubt is how MS have implemented on IAS?
OK. Returning to my rastls.log you will see that my TLV URI packet sent to
the eap dll was discarded because was considered as a invalid attribute.
Below a relevant lines from the log:
_______________________________________________________________________________
[1912] 16:47:40:703: EapTlsBegin()
[1912] 16:47:40:703: SetupMachineChangeNotification
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: EapTlsBegin: Detected PEAP authentication
[1912] 16:47:40:703: MaxTLSMessageLength is now 16384
[1912] 16:47:40:703: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1912] 16:47:40:703: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1912] 16:47:40:703: The root cert will not be checked for revocation
[1912] 16:47:40:703: The cert will be checked for revocation
[1912] 16:47:40:703: EapPeapBegin done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_INITIAL
[1912] 16:47:40:703: EapTlsSMakeMessage
[1912] 16:47:40:703: EapTlsReset
[1912] 16:47:40:703: State change to Initial
[1912] 16:47:40:703: GetCredentials
[1912] 16:47:40:703: Flag is Server and Store is local Machine
[1912] 16:47:40:703: GetCachedCredentials Flags = 0x4061
[1912] 16:47:40:703: GetCachedCredentials: Using Cached Credentials
[1912] 16:47:40:703: GetCachedCredentials: Hash of the cert in the cache is
6 4 3 E 5 8 D 2 5 2 2 5 C 4 0 3 6 D 1 C 6 9 A D D 0
5 2 F C F 5 | d > X . R % . . m . i . . R . . |
C A 1 B 8 0 A 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | . . . . . . . . . . . . . . . . |
[1912] 16:47:40:703: BuildPacket
[1912] 16:47:40:703: << Sending Request (Code: 1) packet: Id: 33, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[1912] 16:47:40:703: State change to SentStart
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage
[1912] 16:47:40:703: EapPeapSMakeMessage
[1912] 16:47:40:703: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[1912] 16:47:40:703: Received invalid attributes from application.
[1912] 16:47:40:703: EapPeapSMakeMessage done
[1912] 16:47:40:703: EapPeapMakeMessage done
[1912] 16:47:40:703: EapPeapEnd
[1912] 16:47:40:703: EapTlsEnd
[1912] 16:47:40:703: EapTlsEnd()
[1912] 16:47:40:703: EapPeapEnd done
___________________________________________________________________________________________________
I hope that we find someone that help us.
Thanks for your attention
Washington Moreira
"Eliot Gable" <support8@xxxxxxxxxxxxxx> wrote in message
news:1133294445_42627@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I am trying to write an extension DLL for IAS that does the WPS guest
> authentication. I have it successfully registering itself, grabbing
> packets,
> testing cases, selectively converting Access-Reject packets to
> Access-Accept
> packets, etc. The only part I cannot figure out is how and when to do the
> EAP-TLV URI attribute-value pairs. I imagine I do them in an
> Access-Challenge packet, but I do not know how to figure out WHICH packet
> to
> put them in or HOW to put them in the packet. I cannot find any USEFULL
> documentation on doing the EAP programming stuff in an IAS DLL. I also do
> not understand how my EAP messages get encrypted along with the rest, or
> how
> I can modify them inside a call to the RadiusExtensionProcess2 function.
> Any
> help or examples on how to do this would be greatly appreciated.
>
> Thanks.
>
> Eliot Gable
> CCNA, CWNA, CWSP,
> Security+, Network+
>
>
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----
.
- Prev by Date: Re: Microsoft's PEAP implementation
- Next by Date: Re: IAS and Cisco PIX VPN
- Previous by thread: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Next by thread: Re: IAS is not authenticating while using 802.1x
- Index(es):
Relevant Pages
|
Loading
