RADIUS + EAP AVP Structure

Eliot, Wireless and Server Administrator, Great Lakes Internet support8 at greatlakes.net
Wed Nov 30 12:03:33 EST 2005

Thanks for the reply.

I'll try the packet capture suggestions.

The MSDN site information I have gone over probably 15 times now. There just isn't anything useful in there. I did go to the RFC specified in the documentation and looked up the format of the packets. That is what I posted in my first post. But it still does not seem to work. So, I must be doing something wrong. 

Unfortunately, my company only employs about 11 people. I am the most knowledgeable about all this stuff and usually I'm the one everyone comes to for answers. But you say that Microsoft has a development support option available? Would that be standard (as in free) through our MSDN subscription? 

Eliot Gable
Certified Wireless Network Administrator
Cisco Certified Network Associate
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and Systems Administrator
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422

-----Original Message-----
From: Bryan Kadzban [mailto:bryan at kadzban.is-a-geek.net]
Sent: Tue 11/29/2005 9:25 PM
To: Eliot, Wireless and Server Administrator, Great Lakes Internet
Cc: hostap at shmoo.com
Subject: Re: RADIUS + EAP AVP Structure
Eliot wrote:
> When an EAP attribute (79) is specified in a RADIUS Access-Challenge,
> what is the structure of the value?

Take a look at a network capture (either Ethereal or MS Network Monitor)
-- that might give some useful information.

In particular, you should note that EAP data sent by the supplicant gets
repackaged into RADIUS attributes by the AP.  And since the length of a
RADIUS attribute is given (in the packet at least) by a single byte, the
maximum length is 255 -- so if the EAP data is longer than 255 bytes,
it'll take up more than one RADIUS attribute.

I'm not sure how each attribute's data is represented, although I would
guess that Ethereal's RADIUS dissector knows.  Perhaps it even knows
well enough to give you the original EAPOL frame.

> Also, if I test the RADIUS attributes, there are two types that 
> interest me. One type is what FreeRADIUS terms "EAP-Message" and that
> is type ID 79.

IIRC, that's the one that contains each piece of the EAP data.  Many of
these can exist in a single RADIUS request (up to the maximum size of a
RADIUS packet, minus any other attributes that have been included).
Microsoft's IAS extension API doesn't have a name for that one, but it's
the one you should be looking for if you're doing EAP from wireless clients.

> The other type is what Microsoft calls ratEAPTLV, which I'm not 
> certain what the number is for that one.

According to:


the number is 272.  It also says "see the IETF draft for EAP-TLV"
(and gives a 404 link), which I would presume contains part of the EAP
packet's format.  Although I don't know why it doesn't use 79...  maybe
because it's nonstandard?  Many of the other 2xx attributes on that page
seem to be extension attributes; maybe this one is similar.

Maybe you should see if there's anything else helpful in that IAS
extension DLL reference section of MSDN.  Failing that, see if perhaps
your company has a contact with Microsoft who might know who to ask
about stuff like this (like my company did with cert services, when we
had questions about autoenrollment) -- or possibly use a development
support call.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20051130/4b2804d3/attachment.htm 

More information about the HostAP mailing list