0

Question about PEAP-MSCHAPV2 on RADIUS.

After MSCHAPV2 success keys are extracted from TLS context. Then it sent to AP.

Client failed to connect WiFi (or eapol, etc) with my handmade RADIUS Access-Accept.

Can you explain full keys negotiation?

Radius source code implementations based on state machines, so code is difficult to understand.

eri
  • 111
  • 2
  • I can't quite understand what you are asking, but the way MSCHAPv2 generates session keys is well defined in [section 3 of RFC 3079](https://tools.ietf.org/html/rfc3079#section-3). Is that what you are looking for? – YLearn Feb 18 '20 at 06:43
  • no, section 4! Tryed implement 3079 section 4.3, but supplicant does not accept my keys because of `decision=DECISION_FAIL` one step before Access-Accept. Now it works. – eri Feb 18 '20 at 09:30

1 Answers1

0

I find missed step. After Success-Response (from client) on phase2 I need to write empty message. I.e. TLS-ASK packet needed before phase1 Success (from server).

Now it works with linux, android (wpa_supplicant). Not works with iOS...

eri
  • 111
  • 2