2022-08-24
Digging into WPA Enterprise authentication packets
After digging into setting up radius and WPA Enterprise with an Asus WL300g accesspoint the next step was to peek into the traffic on a client. For that part I used a linux machine with a wired and wireless interface and used tcpdump to try to capture the wireless authentication packets. I configured /etc/network/interfaces for wpa enterprise, based on the eduroam examples. And this worked, starting the capture:root@ritchie:~# ifconfig wlan0 up root@ritchie:~# tcpdump -ni wlan0 -w wlanstart.pcap -s 0 -u -vAnd I typed in another window 'ifup wlan0'. This resulted in a capture with the right Extensible Authentication Protocol (EAP) packets included:root@ritchie:~# tcpdump -nr wlanstart.pcap -v reading from file wlanstart.pcap, link-type EN10MB (Ethernet) 16:47:39.658963 EAP packet (0) v2, len 5, Request (1), id 0, len 5 Type Identity (1) 16:47:39.660863 EAP packet (0) v1, len 25, Response (2), id 0, len 25 Type Identity (1), Identity: anonymous@idefix.net 16:47:39.662840 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff23:123 to_in, 0 source(s)] [gaddr ff02::1:ff84:afe0 to_ex, 0 source(s)] 16:47:39.668736 EAP packet (0) v2, len 6, Request (1), id 1, len 6 Type TTLS (21) TTLSv0 flags [Start bit] 0x20, 16:47:39.670420 EAP packet (0) v1, len 6, Response (2), id 1, len 6 Type Nak (3) unknown (25), 16:47:39.682125 EAP packet (0) v2, len 6, Request (1), id 2, len 6 Type unknown (25) 16:47:39.741150 EAP packet (0) v1, len 203, Response (2), id 2, len 203 Type unknown (25) 16:47:39.756343 EAP packet (0) v2, len 1004, Request (1), id 3, len 1004 Type unknown (25) 16:47:39.756598 EAP packet (0) v1, len 6, Response (2), id 3, len 6 Type unknown (25) 16:47:39.834920 EAP packet (0) v2, len 1000, Request (1), id 4, len 1000 Type unknown (25) 16:47:39.835159 EAP packet (0) v1, len 6, Response (2), id 4, len 6 Type unknown (25) 16:47:39.842070 EAP packet (0) v2, len 1000, Request (1), id 5, len 1000 Type unknown (25) 16:47:39.842318 EAP packet (0) v1, len 6, Response (2), id 5, len 6 Type unknown (25) 16:47:39.866174 EAP packet (0) v2, len 79, Request (1), id 6, len 79 Type unknown (25) 16:47:40.006260 EAP packet (0) v1, len 144, Response (2), id 6, len 144 Type unknown (25) 16:47:40.014338 EAP packet (0) v2, len 65, Request (1), id 7, len 65 Type unknown (25) 16:47:40.016467 EAP packet (0) v1, len 6, Response (2), id 7, len 6 Type unknown (25) 16:47:40.028765 EAP packet (0) v2, len 43, Request (1), id 8, len 43 Type unknown (25) 16:47:40.029290 EAP packet (0) v1, len 96, Response (2), id 8, len 96 Type unknown (25) 16:47:40.036381 EAP packet (0) v2, len 75, Request (1), id 9, len 75 Type unknown (25) 16:47:40.043383 EAP packet (0) v1, len 144, Response (2), id 9, len 144 Type unknown (25) 16:47:40.057720 EAP packet (0) v2, len 91, Request (1), id 10, len 91 Type unknown (25) 16:47:40.058739 EAP packet (0) v1, len 80, Response (2), id 10, len 80 Type unknown (25) 16:47:40.071176 EAP packet (0) v2, len 43, Request (1), id 11, len 43 Type unknown (25) 16:47:40.072087 EAP packet (0) v1, len 80, Response (2), id 11, len 80 Type unknown (25) 16:47:40.082689 EAP packet (0) v2, len 4, Success (3), id 11, len 4 16:47:40.082865 EAPOL key (3) v2, len 117 16:47:40.091607 EAPOL key (3) v1, len 117 16:47:40.107041 EAPOL key (3) v2, len 175 16:47:40.107839 EAPOL key (3) v1, len 95At the same time I captured the radius traffic. Now time to correlate those two traffic streams in wireshark. The 'WPA Enterprise' with the Asus WL300g gives me a strong Redshirt feeling: I regularly have to reboot the access-point and apply the settings to make it work this way.