This is part 2 of my blog series on rapid prototyping without any real networking equipment. In part 1 I covered PAP and CHAP authentication.
Let's get more creative and look at testing some EAP methods. The most common method found in enterprises is probably EAP-PEAP with MS-CHAPv2 inner authentication. Typical real world use case examples include Windows/OSX/Android supplicants where the credentials are typically looked up in Active Directory or ISE itself (not that it matters).
There is a great test tool from the folks who brought us wpa_supplicant (a suite of tools to test EAP methods, and simulate a supplicant and/or wireless access points). You can do amazing things with wpa_supplicant when combined with a real wireless access point. But what if you just want to simulate the EAP authentication without all the nuts and bolts of a wireless infrastructure? Let's face it, our AAA server ultimately processes Radius packets which are the result of the interactions of the supplicant and NAD (authenticator). We can generate those Radius packets and enter into the somewhat complex EAP conversations.
Hello 'eapol_test' !
It can be found in the wpa_supplicant package in most Linux distros - in the CentOS 7 distribution it can be installed as such
yum install wpa_supplicant
EAP-PEAP example
There is a command line component as well as a configuration file. The configuration file (let's call it mschap.conf) should contain the following text - edit it appropriately - however the only thing you should need to edit are the identity (MSCHAP username) and the password. The ca_cert is a nice to have and it will be used during the TLS setup to validate the ISE Server certificate. In my case I have stored the ISE certificate (for EAP role) in DER format.
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="bob"
anonymous_identity="anonymous"
password="AbCd123"
phase2="autheap=MSCHAPV2"
# Line below performs server certificate validation.
# It is optional - just comment it out if you have no certificate
ca_cert="/home/abier/Downloads/MegaRootCert.cer"
}
Now you can execute a PEAP authentication as follows
eapol_test -c mschap.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:10' -N '6:d:2'
My ISE PSN is 192.168.21.101
I am pretending to be a Wi-Fi client with MAC address (Calling-Station-Id) of 00:00:00:00:00:10
The -N '6:d:2' is a handy command to add additional Radius attributes to the request - I wanted a Service-Type = Framed (see RFC2865 section 5.6) where 6 is the radius attribute value that specifies 'Service-Type', and 2 is the decimal constant that defines 'Framed'.
The output of the command is really verbose and in my opinion, not that useful. But I generally look out for the last few lines of the output.
MPPE keys OK: 1 mismatch: 0
SUCCESS
ISE and eapol_test enter into the wonderful (and somewhat daunting) EAP exchange and the result is true to the real world.