]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | Automatic regression and interoperability testing of wpa_supplicant's |
2 | IEEE 802.1X/EAPOL authentication | |
3 | ||
4 | Test program: | |
5 | - Linked some parts of IEEE 802.1X Authenticator implementation from | |
6 | hostapd (RADIUS client and RADIUS processing, EAP<->RADIUS | |
7 | encapsulation/decapsulation) into wpa_supplicant. | |
8 | - Replaced wpa_supplicant.c and wpa.c with test code that trigger | |
9 | IEEE 802.1X authentication automatically without need for wireless | |
10 | client card or AP. | |
11 | - For EAP methods that generate keying material, the key derived by the | |
12 | Supplicant is verified to match with the one received by the (now | |
13 | integrated) Authenticator. | |
14 | ||
15 | The full automated test suite can now be run in couple of seconds, but | |
16 | I'm more than willing to add new RADIUS authentication servers to make | |
17 | this take a bit more time.. ;-) As an extra bonus, this can also be | |
18 | seen as automatic regression/interoperability testing for the RADIUS | |
19 | server, too. | |
20 | ||
21 | In order for me to be able to use a new authentication server, the | |
22 | server need to be available from Internet (at least from one static IP | |
23 | address) and I will need to get suitable user name/password pairs, | |
24 | certificates, and private keys for testing use. Other alternative | |
25 | would be to get an evaluation version of the server so that I can | |
26 | install it on my own test setup. If you are interested in providing | |
27 | either server access or evaluation version, please contact me | |
28 | (j@w1.fi). | |
29 | ||
30 | ||
31 | Test matrix | |
32 | ||
33 | +) tested successfully | |
34 | F) failed | |
35 | -) server did not support | |
36 | ?) not tested | |
37 | ||
38 | Cisco ACS ----------------------------------------------------------. | |
39 | hostapd --------------------------------------------------------. | | |
40 | Cisco Aironet 1200 AP (local RADIUS server) ----------------. | | | |
41 | Periodik Labs Elektron ---------------------------------. | | | | |
42 | Lucent NavisRadius ---------------------------------. | | | | | |
43 | Interlink RAD-Series ---------------------------. | | | | | | |
44 | Radiator -----------------------------------. | | | | | | | |
45 | Meetinghouse Aegis ---------------------. | | | | | | | | |
46 | Funk Steel-Belted ------------------. | | | | | | | | | |
47 | Funk Odyssey -------------------. | | | | | | | | | | |
48 | Microsoft IAS --------------. | | | | | | | | | | | |
49 | FreeRADIUS -------------. | | | | | | | | | | | | |
50 | | | | | | | | | | | | | | |
51 | ||
52 | EAP-MD5 + - - + + + + + - - + + | |
53 | EAP-GTC + - - ? + + + + - - + - | |
54 | EAP-OTP - - - - - + - - - - - - | |
55 | EAP-MSCHAPv2 + - - + + + + + - - + - | |
56 | EAP-TLS + + + + + + + + - - + + | |
57 | EAP-PEAPv0/MSCHAPv2 + + + + + + + + + - + + | |
58 | EAP-PEAPv0/GTC + - + - + + + + - - + + | |
59 | EAP-PEAPv0/OTP - - - - - + - - - - - - | |
60 | EAP-PEAPv0/MD5 + - - + + + + + - - + - | |
1e8b9d28 | 61 | EAP-PEAPv0/TLS + + - + + + F + - - + + |
6fc6879b JM |
62 | EAP-PEAPv0/SIM - - - - - - - - - - + - |
63 | EAP-PEAPv0/AKA - - - - - - - - - - + - | |
64 | EAP-PEAPv0/PSK - - - - - - - - - - + - | |
65 | EAP-PEAPv0/PAX - - - - - - - - - - + - | |
66 | EAP-PEAPv0/SAKE - - - - - - - - - - + - | |
67 | EAP-PEAPv0/GPSK - - - - - - - - - - + - | |
68 | EAP-PEAPv1/MSCHAPv2 - - + + + +1 + +5 +8 - + + | |
69 | EAP-PEAPv1/GTC - - + + + +1 + +5 +8 - + + | |
70 | EAP-PEAPv1/OTP - - - - - +1 - - - - - - | |
71 | EAP-PEAPv1/MD5 - - - + + +1 + +5 - - + - | |
1e8b9d28 | 72 | EAP-PEAPv1/TLS - - - + + +1 F +5 - - + + |
6fc6879b JM |
73 | EAP-PEAPv1/SIM - - - - - - - - - - + - |
74 | EAP-PEAPv1/AKA - - - - - - - - - - + - | |
75 | EAP-PEAPv1/PSK - - - - - - - - - - + - | |
76 | EAP-PEAPv1/PAX - - - - - - - - - - + - | |
77 | EAP-PEAPv1/SAKE - - - - - - - - - - + - | |
78 | EAP-PEAPv1/GPSK - - - - - - - - - - + - | |
79 | EAP-TTLS/CHAP + - +2 + + + + + + - + - | |
80 | EAP-TTLS/MSCHAP + - + + + + + + + - + - | |
81 | EAP-TTLS/MSCHAPv2 + - + + + + + + + - + - | |
82 | EAP-TTLS/PAP + - + + + + + + + - + - | |
83 | EAP-TTLS/EAP-MD5 + - +2 + + + + + + - + - | |
84 | EAP-TTLS/EAP-GTC + - +2 ? + + + + - - + - | |
85 | EAP-TTLS/EAP-OTP - - - - - + - - - - - - | |
86 | EAP-TTLS/EAP-MSCHAPv2 + - +2 + + + + + + - + - | |
87 | EAP-TTLS/EAP-TLS + - +2 + F + + + - - + - | |
88 | EAP-TTLS/EAP-SIM - - - - - - - - - - + - | |
89 | EAP-TTLS/EAP-AKA - - - - - - - - - - + - | |
90 | EAP-TTLS/EAP-PSK - - - - - - - - - - + - | |
91 | EAP-TTLS/EAP-PAX - - - - - - - - - - + - | |
92 | EAP-TTLS/EAP-SAKE - - - - - - - - - - + - | |
93 | EAP-TTLS/EAP-GPSK - - - - - - - - - - + - | |
502a293e | 94 | EAP-TTLS + TNC - - - - - + - - - - + - |
6fc6879b JM |
95 | EAP-SIM + - - ? - + - ? - - + - |
96 | EAP-AKA - - - - - + - - - - + - | |
a9d1364c | 97 | EAP-AKA' - - - - - - - - - - + - |
6fc6879b JM |
98 | EAP-PSK +7 - - - - + - - - - + - |
99 | EAP-PAX - - - - - + - - - - + - | |
100 | EAP-SAKE - - - - - - - - - - + - | |
101 | EAP-GPSK - - - - - - - - - - + - | |
9c9f869a JM |
102 | EAP-FAST/MSCHAPv2(prov) - - - + - + - - - + + + |
103 | EAP-FAST/GTC(auth) - - - + - + - - - + + + | |
104 | EAP-FAST/MSCHAPv2(aprov)- - - - - + - - - - + + | |
105 | EAP-FAST/GTC(aprov) - - - - - + - - - - + + | |
106 | EAP-FAST/MD5(aprov) - - - - - + - - - - + - | |
6fc6879b JM |
107 | EAP-FAST/TLS(aprov) - - - - - - - - - - + + |
108 | EAP-FAST/SIM(aprov) - - - - - - - - - - + - | |
109 | EAP-FAST/AKA(aprov) - - - - - - - - - - + - | |
9c9f869a JM |
110 | EAP-FAST/MSCHAPv2(auth) - - - - - + - - - - + + |
111 | EAP-FAST/MD5(auth) - - - - - + - - - - + - | |
6fc6879b JM |
112 | EAP-FAST/TLS(auth) - - - - - - - - - - + + |
113 | EAP-FAST/SIM(auth) - - - - - - - - - - + - | |
114 | EAP-FAST/AKA(auth) - - - - - - - - - - + - | |
502a293e | 115 | EAP-FAST + TNC - - - - - - - - - - + - |
6fc6879b | 116 | LEAP + - + + + + F +6 - + - + |
502a293e | 117 | EAP-TNC +9 - - - - + - - - - + - |
6fc6879b JM |
118 | EAP-IKEv2 +10 - - - - - - - - - + - |
119 | ||
120 | 1) PEAPv1 required new label, "client PEAP encryption" instead of "client EAP | |
121 | encryption", during key derivation (requires phase1="peaplabel=1" in the | |
122 | network configuration in wpa_supplicant.conf) | |
123 | 2) used FreeRADIUS as inner auth server | |
124 | 5) PEAPv1 required termination of negotiation on tunneled EAP-Success and new | |
125 | label in key deriviation | |
126 | (phase1="peap_outer_success=0 peaplabel=1") (in "IETF Draft 5" mode) | |
127 | 6) Authenticator simulator required patching for handling Access-Accept within | |
128 | negotiation (for the first EAP-Success of LEAP) | |
129 | 7) tested only with an older (incompatible) draft of EAP-PSK; FreeRADIUS does | |
130 | not support the current EAP-PSK (RFC) specification | |
131 | 8) PEAPv1 used non-standard version negotiation (client had to force v1 even | |
132 | though server reported v0 as the highest supported version) | |
133 | 9) only EAP-TTLS/EAP-TNC tested, i.e., test did not include proper sequence of | |
134 | client authentication followed by TNC inside the tunnel | |
135 | 10) worked only with special compatibility code to match the IKEv2 server | |
136 | implementation | |
137 | ||
138 | ||
139 | Automated tests: | |
140 | ||
141 | FreeRADIUS (2.0-beta/CVS snapshot) | |
142 | - EAP-MD5-Challenge | |
143 | - EAP-GTC | |
144 | - EAP-MSCHAPv2 | |
145 | - EAP-TLS | |
146 | - EAP-PEAPv0 / MSCHAPv2 | |
147 | - EAP-PEAPv0 / GTC | |
148 | - EAP-PEAPv0 / MD5-Challenge | |
149 | - EAP-PEAPv0 / TLS | |
150 | - EAP-TTLS / EAP-MD5-Challenge | |
151 | - EAP-TTLS / EAP-GTC | |
152 | - EAP-TTLS / EAP-MSCHAPv2 | |
153 | - EAP-TTLS / EAP-TLS | |
154 | - EAP-TTLS / CHAP | |
155 | - EAP-TTLS / PAP | |
156 | - EAP-TTLS / MSCHAP | |
157 | - EAP-TTLS / MSCHAPv2 | |
158 | - EAP-TTLS / EAP-TNC (partial support; no authentication sequence) | |
159 | - EAP-SIM | |
160 | - LEAP | |
161 | ||
162 | Microsoft Windows Server 2003 / IAS | |
163 | - EAP-TLS | |
164 | - EAP-PEAPv0 / MSCHAPv2 | |
165 | - EAP-PEAPv0 / TLS | |
166 | - EAP-MD5 | |
167 | * IAS does not seem to support other EAP methods | |
168 | ||
169 | Funk Odyssey 2.01.00.653 | |
170 | - EAP-TLS | |
171 | - EAP-PEAPv0 / MSCHAPv2 | |
172 | - EAP-PEAPv0 / GTC | |
173 | - EAP-PEAPv1 / MSCHAPv2 | |
174 | - EAP-PEAPv1 / GTC | |
175 | Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" | |
176 | - EAP-TTLS / CHAP (using FreeRADIUS as inner auth srv) | |
177 | - EAP-TTLS / MSCHAP | |
178 | - EAP-TTLS / MSCHAPv2 | |
179 | - EAP-TTLS / PAP | |
180 | - EAP-TTLS / EAP-MD5-Challenge (using FreeRADIUS as inner auth srv) | |
181 | - EAP-TTLS / EAP-GTC (using FreeRADIUS as inner auth srv) | |
182 | - EAP-TTLS / EAP-MSCHAPv2 (using FreeRADIUS as inner auth srv) | |
183 | - EAP-TTLS / EAP-TLS (using FreeRADIUS as inner auth srv) | |
184 | * not supported in Odyssey: | |
185 | - EAP-MD5-Challenge | |
186 | - EAP-GTC | |
187 | - EAP-MSCHAPv2 | |
188 | - EAP-PEAP / MD5-Challenge | |
189 | - EAP-PEAP / TLS | |
190 | ||
191 | Funk Steel-Belted Radius Enterprise Edition v4.71.739 | |
192 | - EAP-MD5-Challenge | |
193 | - EAP-MSCHAPv2 | |
194 | - EAP-TLS | |
195 | - EAP-PEAPv0 / MSCHAPv2 | |
196 | - EAP-PEAPv0 / MD5 | |
197 | - EAP-PEAPv0 / TLS | |
198 | - EAP-PEAPv1 / MSCHAPv2 | |
199 | - EAP-PEAPv1 / MD5 | |
200 | - EAP-PEAPv1 / GTC | |
201 | - EAP-PEAPv1 / TLS | |
202 | Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" | |
203 | - EAP-TTLS / CHAP | |
204 | - EAP-TTLS / MSCHAP | |
205 | - EAP-TTLS / MSCHAPv2 | |
206 | - EAP-TTLS / PAP | |
207 | - EAP-TTLS / EAP-MD5-Challenge | |
208 | - EAP-TTLS / EAP-MSCHAPv2 | |
209 | - EAP-TTLS / EAP-TLS | |
210 | ||
211 | Meetinghouse Aegis 1.1.4 | |
212 | - EAP-MD5-Challenge | |
213 | - EAP-GTC | |
214 | - EAP-MSCHAPv2 | |
215 | - EAP-TLS | |
216 | - EAP-PEAPv0 / MSCHAPv2 | |
217 | - EAP-PEAPv0 / TLS | |
218 | - EAP-PEAPv0 / GTC | |
219 | - EAP-PEAPv0 / MD5-Challenge | |
220 | - EAP-PEAPv1 / MSCHAPv2 | |
221 | - EAP-PEAPv1 / TLS | |
222 | - EAP-PEAPv1 / GTC | |
223 | - EAP-PEAPv1 / MD5-Challenge | |
224 | Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" | |
225 | - EAP-TTLS / CHAP | |
226 | - EAP-TTLS / MSCHAP | |
227 | - EAP-TTLS / MSCHAPv2 | |
228 | - EAP-TTLS / PAP | |
229 | - EAP-TTLS / EAP-MD5-Challenge | |
230 | - EAP-TTLS / EAP-GTC | |
231 | - EAP-TTLS / EAP-MSCHAPv2 | |
232 | * did not work | |
233 | - EAP-TTLS / EAP-TLS | |
234 | (Server rejects authentication without any reason in debug log. It | |
235 | looks like the inner TLS negotiation starts properly and the last | |
236 | packet from Supplicant looks like the one sent in the Phase 1. The | |
237 | server generates a valid looking reply in the same way as in Phase | |
238 | 1, but then ends up sending Access-Reject. Maybe an issue with TTLS | |
239 | fragmentation in the Aegis server(?) The packet seems to include | |
240 | 1328 bytes of EAP-Message and this may go beyond the fragmentation | |
241 | limit with AVP encapsulation and TLS tunneling. Note: EAP-PEAP/TLS | |
242 | did work, so this issue seems to be with something TTLS specific.) | |
243 | ||
244 | Radiator 3.17.1 (eval, with all patches up to and including 2007-05-25) | |
245 | - EAP-MD5-Challenge | |
246 | - EAP-GTC | |
247 | - EAP-OTP | |
248 | - EAP-MSCHAPv2 | |
249 | - EAP-TLS | |
250 | - EAP-PEAPv0 / MSCHAPv2 | |
251 | - EAP-PEAPv0 / GTC | |
252 | - EAP-PEAPv0 / OTP | |
253 | - EAP-PEAPv0 / MD5-Challenge | |
254 | - EAP-PEAPv0 / TLS | |
255 | Note: Needed to use unknown identity in outer auth and some times the server | |
256 | seems to get confused and fails to send proper Phase 2 data. | |
257 | - EAP-PEAPv1 / MSCHAPv2 | |
258 | - EAP-PEAPv1 / GTC | |
259 | - EAP-PEAPv1 / OTP | |
260 | - EAP-PEAPv1 / MD5-Challenge | |
261 | - EAP-PEAPv1 / TLS | |
262 | Note: This has some additional requirements for EAPTLS_MaxFragmentSize. | |
263 | Using 1300 for outer auth and 500 for inner auth seemed to work. | |
264 | Note: Needed to use unknown identity in outer auth and some times the server | |
265 | seems to get confused and fails to send proper Phase 2 data. | |
266 | - EAP-TTLS / CHAP | |
267 | - EAP-TTLS / MSCHAP | |
268 | - EAP-TTLS / MSCHAPv2 | |
269 | - EAP-TTLS / PAP | |
270 | - EAP-TTLS / EAP-MD5-Challenge | |
271 | - EAP-TTLS / EAP-GTC | |
272 | - EAP-TTLS / EAP-OTP | |
273 | - EAP-TTLS / EAP-MSCHAPv2 | |
274 | - EAP-TTLS / EAP-TLS | |
275 | Note: This has some additional requirements for EAPTLS_MaxFragmentSize. | |
276 | Using 1300 for outer auth and 500 for inner auth seemed to work. | |
277 | - EAP-SIM | |
278 | - EAP-AKA | |
279 | - EAP-PSK | |
280 | - EAP-PAX | |
281 | - EAP-TNC | |
282 | ||
283 | Interlink Networks RAD-Series 6.1.2.7 | |
284 | - EAP-MD5-Challenge | |
285 | - EAP-GTC | |
286 | - EAP-MSCHAPv2 | |
287 | - EAP-TLS | |
288 | - EAP-PEAPv0 / MSCHAPv2 | |
289 | - EAP-PEAPv0 / GTC | |
290 | - EAP-PEAPv0 / MD5-Challenge | |
291 | - EAP-PEAPv1 / MSCHAPv2 | |
292 | - EAP-PEAPv1 / GTC | |
293 | - EAP-PEAPv1 / MD5-Challenge | |
294 | Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption" | |
295 | - EAP-TTLS / CHAP | |
296 | - EAP-TTLS / MSCHAP | |
297 | - EAP-TTLS / MSCHAPv2 | |
298 | - EAP-TTLS / PAP | |
299 | - EAP-TTLS / EAP-MD5-Challenge | |
300 | - EAP-TTLS / EAP-GTC | |
301 | - EAP-TTLS / EAP-MSCHAPv2 | |
302 | - EAP-TTLS / EAP-TLS | |
303 | * did not work | |
304 | - EAP-PEAPv0 / TLS | |
305 | - EAP-PEAPv1 / TLS | |
306 | (Failed to decrypt Phase 2 data) | |
307 | ||
308 | Lucent NavisRadius 4.4.0 | |
309 | - EAP-MD5-Challenge | |
310 | - EAP-GTC | |
311 | - EAP-MSCHAPv2 | |
312 | - EAP-TLS | |
313 | - EAP-PEAPv0 / MD5-Challenge | |
314 | - EAP-PEAPv0 / MSCHAPv2 | |
315 | - EAP-PEAPv0 / GTC | |
316 | - EAP-PEAPv0 / TLS | |
317 | - EAP-PEAPv1 / MD5-Challenge | |
318 | - EAP-PEAPv1 / MSCHAPv2 | |
319 | - EAP-PEAPv1 / GTC | |
320 | - EAP-PEAPv1 / TLS | |
321 | "IETF Draft 5" mode requires phase1="peap_outer_success=0 peaplabel=1" | |
322 | 'Cisco ACU 5.05' mode works without phase1 configuration | |
323 | - EAP-TTLS / CHAP | |
324 | - EAP-TTLS / MSCHAP | |
325 | - EAP-TTLS / MSCHAPv2 | |
326 | - EAP-TTLS / PAP | |
327 | - EAP-TTLS / EAP-MD5-Challenge | |
328 | - EAP-TTLS / EAP-MSCHAPv2 | |
329 | - EAP-TTLS / EAP-GTC | |
330 | - EAP-TTLS / EAP-TLS | |
331 | ||
332 | Note: user certificate from NavisRadius had private key in a format | |
333 | that wpa_supplicant could not use. Converting this to PKCS#12 and then | |
334 | back to PEM allowed wpa_supplicant to use the key. | |
335 | ||
336 | ||
337 | hostapd v0.3.3 | |
338 | - EAP-MD5-Challenge | |
339 | - EAP-GTC | |
340 | - EAP-MSCHAPv2 | |
341 | - EAP-TLS | |
342 | - EAP-PEAPv0 / MSCHAPv2 | |
343 | - EAP-PEAPv0 / GTC | |
344 | - EAP-PEAPv0 / MD5-Challenge | |
345 | - EAP-PEAPv1 / MSCHAPv2 | |
346 | - EAP-PEAPv1 / GTC | |
347 | - EAP-PEAPv1 / MD5-Challenge | |
348 | - EAP-TTLS / CHAP | |
349 | - EAP-TTLS / MSCHAP | |
350 | - EAP-TTLS / MSCHAPv2 | |
351 | - EAP-TTLS / PAP | |
352 | - EAP-TTLS / EAP-MD5-Challenge | |
353 | - EAP-TTLS / EAP-GTC | |
354 | - EAP-TTLS / EAP-MSCHAPv2 | |
355 | - EAP-SIM | |
356 | - EAP-PAX | |
357 | ||
6fc6879b JM |
358 | PEAPv1: |
359 | ||
360 | Funk Odyssey 2.01.00.653: | |
361 | - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE | |
362 | keys with outer EAP-Success message after this | |
363 | - uses label "client EAP encryption" | |
364 | - (peap_outer_success 1 and 2 work) | |
365 | ||
366 | Funk Steel-Belted Radius Enterprise Edition v4.71.739 | |
367 | - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE | |
368 | keys with outer EAP-Success message after this | |
369 | - uses label "client EAP encryption" | |
370 | - (peap_outer_success 1 and 2 work) | |
371 | ||
372 | Radiator 3.9: | |
373 | - uses TLV Success and Reply, sends MPPE keys with outer EAP-Success message | |
374 | after this | |
375 | - uses label "client PEAP encryption" | |
376 | ||
377 | Lucent NavisRadius 4.4.0 (in "IETF Draft 5" mode): | |
378 | - sends tunneled EAP-Success with MPPE keys and expects the authentication to | |
379 | terminate at this point (gets somewhat confused with reply to this) | |
380 | - uses label "client PEAP encryption" | |
381 | - phase1="peap_outer_success=0 peaplabel=1" | |
382 | ||
383 | Lucent NavisRadius 4.4.0 (in "Cisco ACU 5.05" mode): | |
384 | - sends tunneled EAP-Success with MPPE keys and expects to receive TLS ACK | |
385 | as a reply | |
386 | - uses label "client EAP encryption" | |
387 | ||
388 | Meetinghouse Aegis 1.1.4 | |
389 | - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE | |
390 | keys with outer EAP-Success message after this | |
391 | - uses label "client EAP encryption" | |
392 | - peap_outer_success 1 and 2 work |