<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>RE: RADIUS + EAP AVP Structure</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>Thanks for the reply.<BR>
<BR>
I'll try the packet capture suggestions.<BR>
<BR>
The MSDN site information I have gone over probably 15 times now. There just isn't anything useful in there. I did go to the RFC specified in the documentation and looked up the format of the packets. That is what I posted in my first post. But it still does not seem to work. So, I must be doing something wrong.<BR>
<BR>
Unfortunately, my company only employs about 11 people. I am the most knowledgeable about all this stuff and usually I'm the one everyone comes to for answers. But you say that Microsoft has a development support option available? Would that be standard (as in free) through our MSDN subscription?<BR>
<BR>
Eliot Gable<BR>
Certified Wireless Network Administrator<BR>
Cisco Certified Network Associate<BR>
CompTIA Security+ Certified<BR>
CompTIA Network+ Certified<BR>
Network and Systems Administrator<BR>
Great Lakes Internet, Inc.<BR>
112 North Howard<BR>
Croswell, MI 48422<BR>
810-679-3395<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Bryan Kadzban [<A HREF="mailto:bryan@kadzban.is-a-geek.net">mailto:bryan@kadzban.is-a-geek.net</A>]<BR>
Sent: Tue 11/29/2005 9:25 PM<BR>
To: Eliot, Wireless and Server Administrator, Great Lakes Internet<BR>
Cc: hostap@shmoo.com<BR>
Subject: Re: RADIUS + EAP AVP Structure<BR>
<BR>
Eliot wrote:<BR>
> When an EAP attribute (79) is specified in a RADIUS Access-Challenge,<BR>
> what is the structure of the value?<BR>
<BR>
Take a look at a network capture (either Ethereal or MS Network Monitor)<BR>
-- that might give some useful information.<BR>
<BR>
In particular, you should note that EAP data sent by the supplicant gets<BR>
repackaged into RADIUS attributes by the AP. And since the length of a<BR>
RADIUS attribute is given (in the packet at least) by a single byte, the<BR>
maximum length is 255 -- so if the EAP data is longer than 255 bytes,<BR>
it'll take up more than one RADIUS attribute.<BR>
<BR>
I'm not sure how each attribute's data is represented, although I would<BR>
guess that Ethereal's RADIUS dissector knows. Perhaps it even knows<BR>
well enough to give you the original EAPOL frame.<BR>
<BR>
> Also, if I test the RADIUS attributes, there are two types that<BR>
> interest me. One type is what FreeRADIUS terms "EAP-Message" and that<BR>
> is type ID 79.<BR>
<BR>
IIRC, that's the one that contains each piece of the EAP data. Many of<BR>
these can exist in a single RADIUS request (up to the maximum size of a<BR>
RADIUS packet, minus any other attributes that have been included).<BR>
Microsoft's IAS extension API doesn't have a name for that one, but it's<BR>
the one you should be looking for if you're doing EAP from wireless clients.<BR>
<BR>
> The other type is what Microsoft calls ratEAPTLV, which I'm not<BR>
> certain what the number is for that one.<BR>
<BR>
According to:<BR>
<BR>
<A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/radius_attribute_type.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/radius_attribute_type.asp</A><BR>
<BR>
the number is 272. It also says "see the IETF draft for EAP-TLV"<BR>
(and gives a 404 link), which I would presume contains part of the EAP<BR>
packet's format. Although I don't know why it doesn't use 79... maybe<BR>
because it's nonstandard? Many of the other 2xx attributes on that page<BR>
seem to be extension attributes; maybe this one is similar.<BR>
<BR>
Maybe you should see if there's anything else helpful in that IAS<BR>
extension DLL reference section of MSDN. Failing that, see if perhaps<BR>
your company has a contact with Microsoft who might know who to ask<BR>
about stuff like this (like my company did with cert services, when we<BR>
had questions about autoenrollment) -- or possibly use a development<BR>
support call.<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>