| blob | 8d132223f6a042a574c90a62be7433cea5fbd54d |
1 Automatic regression and interoperability testing of wpa_supplicant's
2 IEEE 802.1X/EAPOL authentication
4 Test program:
5 - Linked some parts of IEEE 802.1X Authenticator implementation from
6 hostapd (RADIUS client and RADIUS processing, EAP<->RADIUS
7 encapsulation/decapsulation) into wpa_supplicant.
8 - Replaced wpa_supplicant.c and wpa.c with test code that trigger
9 IEEE 802.1X authentication automatically without need for wireless
10 client card or AP.
11 - For EAP methods that generate keying material, the key derived by the
12 Supplicant is verified to match with the one received by the (now
13 integrated) Authenticator.
15 The full automated test suite can now be run in couple of seconds, but
16 I'm more than willing to add new RADIUS authentication servers to make
17 this take a bit more time.. ;-) As an extra bonus, this can also be
18 seen as automatic regression/interoperability testing for the RADIUS
19 server, too.
21 In order for me to be able to use a new authentication server, the
22 server need to be available from Internet (at least from one static IP
23 address) and I will need to get suitable user name/password pairs,
24 certificates, and private keys for testing use. Other alternative
25 would be to get an evaluation version of the server so that I can
26 install it on my own test setup. If you are interested in providing
27 either server access or evaluation version, please contact me
28 (j@w1.fi).
31 Test matrix
33 +) tested successfully
34 F) failed
35 -) server did not support
36 ?) not tested
38 Cisco ACS ----------------------------------------------------------.
39 hostapd --------------------------------------------------------. |
40 Cisco Aironet 1200 AP (local RADIUS server) ----------------. | |
41 Periodik Labs Elektron ---------------------------------. | | |
42 Lucent NavisRadius ---------------------------------. | | | |
43 Interlink RAD-Series ---------------------------. | | | | |
44 Radiator -----------------------------------. | | | | | |
45 Meetinghouse Aegis ---------------------. | | | | | | |
46 Funk Steel-Belted ------------------. | | | | | | | |
47 Funk Odyssey -------------------. | | | | | | | | |
48 Microsoft IAS --------------. | | | | | | | | | |
49 FreeRADIUS -------------. | | | | | | | | | | |
50 | | | | | | | | | | | |
52 EAP-MD5 + - - + + + + + - - + +
53 EAP-GTC + - - ? + + + + - - + -
54 EAP-OTP - - - - - + - - - - - -
55 EAP-MSCHAPv2 + - - + + + + + - - + -
56 EAP-TLS + + + + + + + + - - + +
57 EAP-PEAPv0/MSCHAPv2 + + + + + + + + + - + +
58 EAP-PEAPv0/GTC + - + - + + + + - - + +
59 EAP-PEAPv0/OTP - - - - - + - - - - - -
60 EAP-PEAPv0/MD5 + - - + + + + + - - + -
61 EAP-PEAPv0/TLS + + - + + + F + - - + +
62 EAP-PEAPv0/SIM - - - - - - - - - - + -
63 EAP-PEAPv0/AKA - - - - - - - - - - + -
64 EAP-PEAPv0/PSK - - - - - - - - - - + -
65 EAP-PEAPv0/PAX - - - - - - - - - - + -
66 EAP-PEAPv0/SAKE - - - - - - - - - - + -
67 EAP-PEAPv0/GPSK - - - - - - - - - - + -
68 EAP-PEAPv1/MSCHAPv2 - - + + + +1 + +5 +8 - + +
69 EAP-PEAPv1/GTC - - + + + +1 + +5 +8 - + +
70 EAP-PEAPv1/OTP - - - - - +1 - - - - - -
71 EAP-PEAPv1/MD5 - - - + + +1 + +5 - - + -
72 EAP-PEAPv1/TLS - - - + + +1 F +5 - - + +
73 EAP-PEAPv1/SIM - - - - - - - - - - + -
74 EAP-PEAPv1/AKA - - - - - - - - - - + -
75 EAP-PEAPv1/PSK - - - - - - - - - - + -
76 EAP-PEAPv1/PAX - - - - - - - - - - + -
77 EAP-PEAPv1/SAKE - - - - - - - - - - + -
78 EAP-PEAPv1/GPSK - - - - - - - - - - + -
79 EAP-TTLS/CHAP + - +2 + + + + + + - + -
80 EAP-TTLS/MSCHAP + - + + + + + + + - + -
81 EAP-TTLS/MSCHAPv2 + - + + + + + + + - + -
82 EAP-TTLS/PAP + - + + + + + + + - + -
83 EAP-TTLS/EAP-MD5 + - +2 + + + + + + - + -
84 EAP-TTLS/EAP-GTC + - +2 ? + + + + - - + -
85 EAP-TTLS/EAP-OTP - - - - - + - - - - - -
86 EAP-TTLS/EAP-MSCHAPv2 + - +2 + + + + + + - + -
87 EAP-TTLS/EAP-TLS + - +2 + F + + + - - + -
88 EAP-TTLS/EAP-SIM - - - - - - - - - - + -
89 EAP-TTLS/EAP-AKA - - - - - - - - - - + -
90 EAP-TTLS/EAP-PSK - - - - - - - - - - + -
91 EAP-TTLS/EAP-PAX - - - - - - - - - - + -
92 EAP-TTLS/EAP-SAKE - - - - - - - - - - + -
93 EAP-TTLS/EAP-GPSK - - - - - - - - - - + -
94 EAP-TTLS + TNC - - - - - + - - - - + -
95 EAP-SIM + - - ? - + - ? - - + -
96 EAP-AKA - - - - - + - - - - + -
97 EAP-AKA' - - - - - - - - - - + -
98 EAP-PSK +7 - - - - + - - - - + -
99 EAP-PAX - - - - - + - - - - + -
100 EAP-SAKE - - - - - - - - - - + -
101 EAP-GPSK - - - - - - - - - - + -
102 EAP-FAST/MSCHAPv2(prov) - - - + - + - - - + + +
103 EAP-FAST/GTC(auth) - - - + - + - - - + + +
104 EAP-FAST/MSCHAPv2(aprov)- - - - - + - - - - + +
105 EAP-FAST/GTC(aprov) - - - - - + - - - - + +
106 EAP-FAST/MD5(aprov) - - - - - + - - - - + -
107 EAP-FAST/TLS(aprov) - - - - - - - - - - + +
108 EAP-FAST/SIM(aprov) - - - - - - - - - - + -
109 EAP-FAST/AKA(aprov) - - - - - - - - - - + -
110 EAP-FAST/MSCHAPv2(auth) - - - - - + - - - - + +
111 EAP-FAST/MD5(auth) - - - - - + - - - - + -
112 EAP-FAST/TLS(auth) - - - - - - - - - - + +
113 EAP-FAST/SIM(auth) - - - - - - - - - - + -
114 EAP-FAST/AKA(auth) - - - - - - - - - - + -
115 EAP-FAST + TNC - - - - - - - - - - + -
116 LEAP + - + + + + F +6 - + - +
117 EAP-TNC +9 - - - - + - - - - + -
118 EAP-IKEv2 +10 - - - - - - - - - + -
120 1) PEAPv1 required new label, "client PEAP encryption" instead of "client EAP
121 encryption", during key derivation (requires phase1="peaplabel=1" in the
122 network configuration in wpa_supplicant.conf)
123 2) used FreeRADIUS as inner auth server
124 5) PEAPv1 required termination of negotiation on tunneled EAP-Success and new
125 label in key deriviation
126 (phase1="peap_outer_success=0 peaplabel=1") (in "IETF Draft 5" mode)
127 6) Authenticator simulator required patching for handling Access-Accept within
128 negotiation (for the first EAP-Success of LEAP)
129 7) tested only with an older (incompatible) draft of EAP-PSK; FreeRADIUS does
130 not support the current EAP-PSK (RFC) specification
131 8) PEAPv1 used non-standard version negotiation (client had to force v1 even
132 though server reported v0 as the highest supported version)
133 9) only EAP-TTLS/EAP-TNC tested, i.e., test did not include proper sequence of
134 client authentication followed by TNC inside the tunnel
135 10) worked only with special compatibility code to match the IKEv2 server
136 implementation
139 Automated tests:
141 FreeRADIUS (2.0-beta/CVS snapshot)
142 - EAP-MD5-Challenge
143 - EAP-GTC
144 - EAP-MSCHAPv2
145 - EAP-TLS
146 - EAP-PEAPv0 / MSCHAPv2
147 - EAP-PEAPv0 / GTC
148 - EAP-PEAPv0 / MD5-Challenge
149 - EAP-PEAPv0 / TLS
150 - EAP-TTLS / EAP-MD5-Challenge
151 - EAP-TTLS / EAP-GTC
152 - EAP-TTLS / EAP-MSCHAPv2
153 - EAP-TTLS / EAP-TLS
154 - EAP-TTLS / CHAP
155 - EAP-TTLS / PAP
156 - EAP-TTLS / MSCHAP
157 - EAP-TTLS / MSCHAPv2
158 - EAP-TTLS / EAP-TNC (partial support; no authentication sequence)
159 - EAP-SIM
160 - LEAP
162 Microsoft Windows Server 2003 / IAS
163 - EAP-TLS
164 - EAP-PEAPv0 / MSCHAPv2
165 - EAP-PEAPv0 / TLS
166 - EAP-MD5
167 * IAS does not seem to support other EAP methods
169 Funk Odyssey 2.01.00.653
170 - EAP-TLS
171 - EAP-PEAPv0 / MSCHAPv2
172 - EAP-PEAPv0 / GTC
173 - EAP-PEAPv1 / MSCHAPv2
174 - EAP-PEAPv1 / GTC
175 Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption"
176 - EAP-TTLS / CHAP (using FreeRADIUS as inner auth srv)
177 - EAP-TTLS / MSCHAP
178 - EAP-TTLS / MSCHAPv2
179 - EAP-TTLS / PAP
180 - EAP-TTLS / EAP-MD5-Challenge (using FreeRADIUS as inner auth srv)
181 - EAP-TTLS / EAP-GTC (using FreeRADIUS as inner auth srv)
182 - EAP-TTLS / EAP-MSCHAPv2 (using FreeRADIUS as inner auth srv)
183 - EAP-TTLS / EAP-TLS (using FreeRADIUS as inner auth srv)
184 * not supported in Odyssey:
185 - EAP-MD5-Challenge
186 - EAP-GTC
187 - EAP-MSCHAPv2
188 - EAP-PEAP / MD5-Challenge
189 - EAP-PEAP / TLS
191 Funk Steel-Belted Radius Enterprise Edition v4.71.739
192 - EAP-MD5-Challenge
193 - EAP-MSCHAPv2
194 - EAP-TLS
195 - EAP-PEAPv0 / MSCHAPv2
196 - EAP-PEAPv0 / MD5
197 - EAP-PEAPv0 / TLS
198 - EAP-PEAPv1 / MSCHAPv2
199 - EAP-PEAPv1 / MD5
200 - EAP-PEAPv1 / GTC
201 - EAP-PEAPv1 / TLS
202 Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption"
203 - EAP-TTLS / CHAP
204 - EAP-TTLS / MSCHAP
205 - EAP-TTLS / MSCHAPv2
206 - EAP-TTLS / PAP
207 - EAP-TTLS / EAP-MD5-Challenge
208 - EAP-TTLS / EAP-MSCHAPv2
209 - EAP-TTLS / EAP-TLS
211 Meetinghouse Aegis 1.1.4
212 - EAP-MD5-Challenge
213 - EAP-GTC
214 - EAP-MSCHAPv2
215 - EAP-TLS
216 - EAP-PEAPv0 / MSCHAPv2
217 - EAP-PEAPv0 / TLS
218 - EAP-PEAPv0 / GTC
219 - EAP-PEAPv0 / MD5-Challenge
220 - EAP-PEAPv1 / MSCHAPv2
221 - EAP-PEAPv1 / TLS
222 - EAP-PEAPv1 / GTC
223 - EAP-PEAPv1 / MD5-Challenge
224 Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption"
225 - EAP-TTLS / CHAP
226 - EAP-TTLS / MSCHAP
227 - EAP-TTLS / MSCHAPv2
228 - EAP-TTLS / PAP
229 - EAP-TTLS / EAP-MD5-Challenge
230 - EAP-TTLS / EAP-GTC
231 - EAP-TTLS / EAP-MSCHAPv2
232 * did not work
233 - EAP-TTLS / EAP-TLS
234 (Server rejects authentication without any reason in debug log. It
235 looks like the inner TLS negotiation starts properly and the last
236 packet from Supplicant looks like the one sent in the Phase 1. The
237 server generates a valid looking reply in the same way as in Phase
238 1, but then ends up sending Access-Reject. Maybe an issue with TTLS
239 fragmentation in the Aegis server(?) The packet seems to include
240 1328 bytes of EAP-Message and this may go beyond the fragmentation
241 limit with AVP encapsulation and TLS tunneling. Note: EAP-PEAP/TLS
242 did work, so this issue seems to be with something TTLS specific.)
244 Radiator 3.17.1 (eval, with all patches up to and including 2007-05-25)
245 - EAP-MD5-Challenge
246 - EAP-GTC
247 - EAP-OTP
248 - EAP-MSCHAPv2
249 - EAP-TLS
250 - EAP-PEAPv0 / MSCHAPv2
251 - EAP-PEAPv0 / GTC
252 - EAP-PEAPv0 / OTP
253 - EAP-PEAPv0 / MD5-Challenge
254 - EAP-PEAPv0 / TLS
255 Note: Needed to use unknown identity in outer auth and some times the server
256 seems to get confused and fails to send proper Phase 2 data.
257 - EAP-PEAPv1 / MSCHAPv2
258 - EAP-PEAPv1 / GTC
259 - EAP-PEAPv1 / OTP
260 - EAP-PEAPv1 / MD5-Challenge
261 - EAP-PEAPv1 / TLS
262 Note: This has some additional requirements for EAPTLS_MaxFragmentSize.
263 Using 1300 for outer auth and 500 for inner auth seemed to work.
264 Note: Needed to use unknown identity in outer auth and some times the server
265 seems to get confused and fails to send proper Phase 2 data.
266 - EAP-TTLS / CHAP
267 - EAP-TTLS / MSCHAP
268 - EAP-TTLS / MSCHAPv2
269 - EAP-TTLS / PAP
270 - EAP-TTLS / EAP-MD5-Challenge
271 - EAP-TTLS / EAP-GTC
272 - EAP-TTLS / EAP-OTP
273 - EAP-TTLS / EAP-MSCHAPv2
274 - EAP-TTLS / EAP-TLS
275 Note: This has some additional requirements for EAPTLS_MaxFragmentSize.
276 Using 1300 for outer auth and 500 for inner auth seemed to work.
277 - EAP-SIM
278 - EAP-AKA
279 - EAP-PSK
280 - EAP-PAX
281 - EAP-TNC
283 Interlink Networks RAD-Series 6.1.2.7
284 - EAP-MD5-Challenge
285 - EAP-GTC
286 - EAP-MSCHAPv2
287 - EAP-TLS
288 - EAP-PEAPv0 / MSCHAPv2
289 - EAP-PEAPv0 / GTC
290 - EAP-PEAPv0 / MD5-Challenge
291 - EAP-PEAPv1 / MSCHAPv2
292 - EAP-PEAPv1 / GTC
293 - EAP-PEAPv1 / MD5-Challenge
294 Note: PEAPv1 requires TLS key derivation to use label "client EAP encryption"
295 - EAP-TTLS / CHAP
296 - EAP-TTLS / MSCHAP
297 - EAP-TTLS / MSCHAPv2
298 - EAP-TTLS / PAP
299 - EAP-TTLS / EAP-MD5-Challenge
300 - EAP-TTLS / EAP-GTC
301 - EAP-TTLS / EAP-MSCHAPv2
302 - EAP-TTLS / EAP-TLS
303 * did not work
304 - EAP-PEAPv0 / TLS
305 - EAP-PEAPv1 / TLS
306 (Failed to decrypt Phase 2 data)
308 Lucent NavisRadius 4.4.0
309 - EAP-MD5-Challenge
310 - EAP-GTC
311 - EAP-MSCHAPv2
312 - EAP-TLS
313 - EAP-PEAPv0 / MD5-Challenge
314 - EAP-PEAPv0 / MSCHAPv2
315 - EAP-PEAPv0 / GTC
316 - EAP-PEAPv0 / TLS
317 - EAP-PEAPv1 / MD5-Challenge
318 - EAP-PEAPv1 / MSCHAPv2
319 - EAP-PEAPv1 / GTC
320 - EAP-PEAPv1 / TLS
321 "IETF Draft 5" mode requires phase1="peap_outer_success=0 peaplabel=1"
322 'Cisco ACU 5.05' mode works without phase1 configuration
323 - EAP-TTLS / CHAP
324 - EAP-TTLS / MSCHAP
325 - EAP-TTLS / MSCHAPv2
326 - EAP-TTLS / PAP
327 - EAP-TTLS / EAP-MD5-Challenge
328 - EAP-TTLS / EAP-MSCHAPv2
329 - EAP-TTLS / EAP-GTC
330 - EAP-TTLS / EAP-TLS
332 Note: user certificate from NavisRadius had private key in a format
333 that wpa_supplicant could not use. Converting this to PKCS#12 and then
334 back to PEM allowed wpa_supplicant to use the key.
337 hostapd v0.3.3
338 - EAP-MD5-Challenge
339 - EAP-GTC
340 - EAP-MSCHAPv2
341 - EAP-TLS
342 - EAP-PEAPv0 / MSCHAPv2
343 - EAP-PEAPv0 / GTC
344 - EAP-PEAPv0 / MD5-Challenge
345 - EAP-PEAPv1 / MSCHAPv2
346 - EAP-PEAPv1 / GTC
347 - EAP-PEAPv1 / MD5-Challenge
348 - EAP-TTLS / CHAP
349 - EAP-TTLS / MSCHAP
350 - EAP-TTLS / MSCHAPv2
351 - EAP-TTLS / PAP
352 - EAP-TTLS / EAP-MD5-Challenge
353 - EAP-TTLS / EAP-GTC
354 - EAP-TTLS / EAP-MSCHAPv2
355 - EAP-SIM
356 - EAP-PAX
358 PEAPv1:
360 Funk Odyssey 2.01.00.653:
361 - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE
362 keys with outer EAP-Success message after this
363 - uses label "client EAP encryption"
364 - (peap_outer_success 1 and 2 work)
366 Funk Steel-Belted Radius Enterprise Edition v4.71.739
367 - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE
368 keys with outer EAP-Success message after this
369 - uses label "client EAP encryption"
370 - (peap_outer_success 1 and 2 work)
372 Radiator 3.9:
373 - uses TLV Success and Reply, sends MPPE keys with outer EAP-Success message
374 after this
375 - uses label "client PEAP encryption"
377 Lucent NavisRadius 4.4.0 (in "IETF Draft 5" mode):
378 - sends tunneled EAP-Success with MPPE keys and expects the authentication to
379 terminate at this point (gets somewhat confused with reply to this)
380 - uses label "client PEAP encryption"
381 - phase1="peap_outer_success=0 peaplabel=1"
383 Lucent NavisRadius 4.4.0 (in "Cisco ACU 5.05" mode):
384 - sends tunneled EAP-Success with MPPE keys and expects to receive TLS ACK
385 as a reply
386 - uses label "client EAP encryption"
388 Meetinghouse Aegis 1.1.4
389 - uses tunneled EAP-Success, expects reply in tunnel or TLS ACK, sends MPPE
390 keys with outer EAP-Success message after this
391 - uses label "client EAP encryption"
392 - peap_outer_success 1 and 2 work