Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
914
Views
3
Helpful
0
Comments

Rapid prototyping ISE Policies without any real networking hardware (part 2)

Arne Bier
VIP
VIP
‎05-04-2017 07:30 PM

This is part 2 of my blog series on rapid prototyping without any real networking equipment.  In part 1 I covered PAP and CHAP authentication.

 

Let's get more creative and look at testing some EAP methods.  The most common method found in enterprises is probably EAP-PEAP with MS-CHAPv2 inner authentication.  Typical real world use case examples include Windows/OSX/Android supplicants where the credentials are typically looked up in Active Directory or ISE itself (not that it matters).

 

There is a great test tool from the folks who brought us wpa_supplicant (a suite of tools to test EAP methods, and simulate a supplicant and/or wireless access points).  You can do amazing things with wpa_supplicant when combined with a real wireless access point.  But what if you just want to simulate the EAP authentication without all the nuts and bolts of a wireless infrastructure?  Let's face it, our AAA server ultimately processes Radius packets which are the result of the interactions of the supplicant and NAD (authenticator).  We can generate those Radius packets and enter into the somewhat complex EAP conversations.

 

Hello 'eapol_test'  !

It can be found in the wpa_supplicant package in most Linux distros - in the CentOS 7 distribution it can be installed as such

 

yum install wpa_supplicant

 

 

EAP-PEAP example

There is a command line component as well as a configuration file.  The configuration file (let's call it mschap.conf) should contain the following text - edit it appropriately - however the only thing you should need to edit are the identity (MSCHAP username) and the password.  The ca_cert is a nice to have and it will be used during the TLS setup to validate the ISE Server certificate.  In my case I have stored the ISE certificate (for EAP role) in DER format.

 

 

network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="bob"
        anonymous_identity="anonymous"
        password="AbCd123"
        phase2="autheap=MSCHAPV2"

# Line below performs server certificate validation.

# It is optional - just comment it out if you have no certificate
ca_cert="/home/abier/Downloads/MegaRootCert.cer"
}

 

 

Now you can execute a PEAP authentication as follows

eapol_test -c mschap.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:10' -N '6:d:2'

 

My ISE PSN is 192.168.21.101

I am pretending to be a Wi-Fi client with MAC address (Calling-Station-Id) of 00:00:00:00:00:10

The -N '6:d:2' is a handy command to add additional Radius attributes to the request - I wanted a Service-Type = Framed (see RFC2865 section 5.6) where 6 is the radius attribute value that specifies 'Service-Type', and 2 is the decimal constant that defines 'Framed'.

 

The output of the command is really verbose and in my opinion, not that useful.  But I generally look out for the last few lines of the output.

 

MPPE keys OK: 1  mismatch: 0

SUCCESS

 

ISE and eapol_test enter into the wonderful (and somewhat daunting) EAP exchange and the result is true to the real world.

  eap-peap.PNG

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents