2

From my understanding, after the Access-Request, the authentication server (RADIUS) sends a reply (encapsulated in the Access-Challenge packet) to the authenticator (AP).

The Access-Challenge packet contains an EAP Request in which it is specified the EAP method that the supplicant should use.

The supplicant can then acknowledge that EAP method or NAK it and replying with another EAP method that can be used.


My questions are:

1) In the EAP Request are both the EAP method and inner authentication specified?

2) Is it possible for the administrator of the RADIUS to specify a default EAP method and inner authentication, such that the EAP Request would contain always the chosen method?

3) It is possible, by using scapy, to edit the EAP Request and specify another EAP method and inner authentication?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
loopOfNegligence
  • 177
  • 1
  • 11

1 Answers1

0
  1. No and yes, the nature of the inner request is that it's within a tunnel. A great example is here: https://mrncciew.com/2013/03/03/eap-overview/ enter image description here It looks like the Tunneled method is specified in the last request outside the tunnel.
  2. Depending on the Radius server this is totally possible. One way to force this would be: limiting available auth types to only the ones you want.
  3. Yes, absolutely Scapy is the packet swiss army knife. it looks like someone else has already done some of that work: https://github.com/rpp0/scapy-fakeap
Community
  • 1
Ori
  • 2,757
  • 1
  • 15
  • 29