1# EAP authentication tests 2# Copyright (c) 2019-2024, Jouni Malinen <j@w1.fi> 3# 4# This software may be distributed under the terms of the BSD license. 5# See README for more details. 6 7import logging 8logger = logging.getLogger() 9 10import hostapd 11from utils import alloc_fail, fail_test, wait_fail_trigger, HwsimSkip 12from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \ 13 eap_reauth 14 15def int_teap_server_params(eap_teap_auth=None, 16 eap_teap_separate_result=None, eap_teap_id=None, 17 eap_teap_method_sequence=None): 18 params = int_eap_server_params() 19 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00" 20 params['eap_fast_a_id_info'] = "test server 0" 21 if eap_teap_auth: 22 params['eap_teap_auth'] = eap_teap_auth 23 if eap_teap_separate_result: 24 params['eap_teap_separate_result'] = eap_teap_separate_result 25 if eap_teap_id: 26 params['eap_teap_id'] = eap_teap_id 27 if eap_teap_method_sequence: 28 params['eap_teap_method_sequence'] = eap_teap_method_sequence 29 return params 30 31def test_eap_teap_eap_mschapv2(dev, apdev): 32 """EAP-TEAP with inner EAP-MSCHAPv2""" 33 check_eap_capa(dev[0], "TEAP") 34 check_eap_capa(dev[0], "MSCHAPV2") 35 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 36 hapd = hostapd.add_ap(apdev[0], params) 37 eap_connect(dev[0], hapd, "TEAP", "user", 38 anonymous_identity="TEAP", password="password", 39 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 40 eap_reauth(dev[0], "TEAP") 41 42def test_eap_teap_eap_pwd(dev, apdev): 43 """EAP-TEAP with inner EAP-PWD""" 44 check_eap_capa(dev[0], "TEAP") 45 check_eap_capa(dev[0], "PWD") 46 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 47 hapd = hostapd.add_ap(apdev[0], params) 48 eap_connect(dev[0], hapd, "TEAP", "user-pwd-2", 49 anonymous_identity="TEAP", password="password", 50 ca_cert="auth_serv/ca.pem", phase2="auth=PWD") 51 52def test_eap_teap_eap_eke(dev, apdev): 53 """EAP-TEAP with inner EAP-EKE""" 54 check_eap_capa(dev[0], "TEAP") 55 check_eap_capa(dev[0], "EKE") 56 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 57 hapd = hostapd.add_ap(apdev[0], params) 58 eap_connect(dev[0], hapd, "TEAP", "user-eke-2", 59 anonymous_identity="TEAP", password="password", 60 ca_cert="auth_serv/ca.pem", phase2="auth=EKE") 61 62def test_eap_teap_basic_password_auth(dev, apdev): 63 """EAP-TEAP with Basic-Password-Auth""" 64 check_eap_capa(dev[0], "TEAP") 65 params = int_teap_server_params(eap_teap_auth="1") 66 hapd = hostapd.add_ap(apdev[0], params) 67 eap_connect(dev[0], hapd, "TEAP", "user", 68 anonymous_identity="TEAP", password="password", 69 ca_cert="auth_serv/ca.pem") 70 71def test_eap_teap_basic_password_auth_failure(dev, apdev): 72 """EAP-TEAP with Basic-Password-Auth failure""" 73 check_eap_capa(dev[0], "TEAP") 74 params = int_teap_server_params(eap_teap_auth="1") 75 hapd = hostapd.add_ap(apdev[0], params) 76 eap_connect(dev[0], hapd, "TEAP", "user", 77 anonymous_identity="TEAP", password="incorrect", 78 ca_cert="auth_serv/ca.pem", expect_failure=True) 79 80def test_eap_teap_basic_password_auth_no_password(dev, apdev): 81 """EAP-TEAP with Basic-Password-Auth and no password configured""" 82 check_eap_capa(dev[0], "TEAP") 83 params = int_teap_server_params(eap_teap_auth="1") 84 hapd = hostapd.add_ap(apdev[0], params) 85 eap_connect(dev[0], hapd, "TEAP", "user", 86 anonymous_identity="TEAP", 87 ca_cert="auth_serv/ca.pem", expect_failure=True) 88 89def test_eap_teap_basic_password_auth_id0(dev, apdev): 90 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=0)""" 91 run_eap_teap_basic_password_auth_id(dev, apdev, 0) 92 93def test_eap_teap_basic_password_auth_id1(dev, apdev): 94 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=1)""" 95 run_eap_teap_basic_password_auth_id(dev, apdev, 1) 96 97def test_eap_teap_basic_password_auth_id2(dev, apdev): 98 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=2)""" 99 run_eap_teap_basic_password_auth_id(dev, apdev, 2, failure=True) 100 101def test_eap_teap_basic_password_auth_id3(dev, apdev): 102 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=3)""" 103 run_eap_teap_basic_password_auth_id(dev, apdev, 3) 104 105def test_eap_teap_basic_password_auth_id4(dev, apdev): 106 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=4)""" 107 run_eap_teap_basic_password_auth_id(dev, apdev, 4) 108 109def run_eap_teap_basic_password_auth_id(dev, apdev, eap_teap_id, failure=False): 110 check_eap_capa(dev[0], "TEAP") 111 params = int_teap_server_params(eap_teap_auth="1", 112 eap_teap_id=str(eap_teap_id)) 113 hapd = hostapd.add_ap(apdev[0], params) 114 eap_connect(dev[0], hapd, "TEAP", "user", 115 anonymous_identity="TEAP", password="password", 116 ca_cert="auth_serv/ca.pem", 117 expect_failure=failure) 118 119def test_eap_teap_basic_password_auth_machine(dev, apdev): 120 """EAP-TEAP with Basic-Password-Auth using machine credential""" 121 check_eap_capa(dev[0], "TEAP") 122 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2") 123 hapd = hostapd.add_ap(apdev[0], params) 124 eap_connect(dev[0], hapd, "TEAP", "", 125 anonymous_identity="TEAP", 126 machine_identity="machine", machine_password="machine-password", 127 ca_cert="auth_serv/ca.pem") 128 129def test_eap_teap_basic_password_auth_user_and_machine(dev, apdev): 130 """EAP-TEAP with Basic-Password-Auth using user and machine credentials""" 131 check_eap_capa(dev[0], "TEAP") 132 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 133 hapd = hostapd.add_ap(apdev[0], params) 134 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 135 anonymous_identity="TEAP", 136 machine_identity="machine", machine_password="machine-password", 137 ca_cert="auth_serv/ca.pem") 138 139def test_eap_teap_basic_password_auth_user_and_machine_fail_user(dev, apdev): 140 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail user)""" 141 check_eap_capa(dev[0], "TEAP") 142 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 143 hapd = hostapd.add_ap(apdev[0], params) 144 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", 145 anonymous_identity="TEAP", 146 machine_identity="machine", machine_password="machine-password", 147 ca_cert="auth_serv/ca.pem", 148 expect_failure=True) 149 150def test_eap_teap_basic_password_auth_user_and_machine_fail_machine(dev, apdev): 151 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail machine)""" 152 check_eap_capa(dev[0], "TEAP") 153 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 154 hapd = hostapd.add_ap(apdev[0], params) 155 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 156 anonymous_identity="TEAP", 157 machine_identity="machine", 158 machine_password="wrong-machine-password", 159 ca_cert="auth_serv/ca.pem", 160 expect_failure=True) 161 162def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev): 163 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)""" 164 check_eap_capa(dev[0], "TEAP") 165 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 166 hapd = hostapd.add_ap(apdev[0], params) 167 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 168 anonymous_identity="TEAP", 169 ca_cert="auth_serv/ca.pem", 170 expect_failure=True) 171 172def test_eap_teap_peer_outer_tlvs(dev, apdev): 173 """EAP-TEAP with peer Outer TLVs""" 174 check_eap_capa(dev[0], "TEAP") 175 check_eap_capa(dev[0], "MSCHAPV2") 176 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 177 hapd = hostapd.add_ap(apdev[0], params) 178 eap_connect(dev[0], hapd, "TEAP", "user", 179 anonymous_identity="TEAP", password="password", 180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 181 phase1="teap_test_outer_tlvs=1") 182 183def test_eap_teap_eap_mschapv2_separate_result(dev, apdev): 184 """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV""" 185 check_eap_capa(dev[0], "TEAP") 186 check_eap_capa(dev[0], "MSCHAPV2") 187 params = int_teap_server_params(eap_teap_separate_result="1") 188 hapd = hostapd.add_ap(apdev[0], params) 189 eap_connect(dev[0], hapd, "TEAP", "user", 190 anonymous_identity="TEAP", password="password", 191 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 192 193def test_eap_teap_eap_mschapv2_id0(dev, apdev): 194 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=0)""" 195 run_eap_teap_eap_mschapv2_id(dev, apdev, 0) 196 197def test_eap_teap_eap_mschapv2_id1(dev, apdev): 198 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=1)""" 199 run_eap_teap_eap_mschapv2_id(dev, apdev, 1) 200 201def test_eap_teap_eap_mschapv2_id2(dev, apdev): 202 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=2)""" 203 run_eap_teap_eap_mschapv2_id(dev, apdev, 2, failure=True) 204 205def test_eap_teap_eap_mschapv2_id3(dev, apdev): 206 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=3)""" 207 run_eap_teap_eap_mschapv2_id(dev, apdev, 3) 208 209def test_eap_teap_eap_mschapv2_id4(dev, apdev): 210 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=4)""" 211 run_eap_teap_eap_mschapv2_id(dev, apdev, 4) 212 213def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False): 214 check_eap_capa(dev[0], "TEAP") 215 check_eap_capa(dev[0], "MSCHAPV2") 216 params = int_teap_server_params(eap_teap_id=str(eap_teap_id)) 217 hapd = hostapd.add_ap(apdev[0], params) 218 eap_connect(dev[0], hapd, "TEAP", "user", 219 anonymous_identity="TEAP", password="password", 220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 221 expect_failure=failure) 222 223def test_eap_teap_eap_mschapv2_machine(dev, apdev): 224 """EAP-TEAP with inner EAP-MSCHAPv2 using machine credential""" 225 check_eap_capa(dev[0], "TEAP") 226 check_eap_capa(dev[0], "MSCHAPV2") 227 params = int_teap_server_params(eap_teap_id="2") 228 hapd = hostapd.add_ap(apdev[0], params) 229 eap_connect(dev[0], hapd, "TEAP", "", 230 anonymous_identity="TEAP", 231 machine_identity="machine", machine_password="machine-password", 232 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 233 234def test_eap_teap_eap_mschapv2_user_and_machine(dev, apdev): 235 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials""" 236 check_eap_capa(dev[0], "TEAP") 237 check_eap_capa(dev[0], "MSCHAPV2") 238 params = int_teap_server_params(eap_teap_id="5") 239 hapd = hostapd.add_ap(apdev[0], params) 240 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 241 anonymous_identity="TEAP", 242 machine_identity="machine", machine_password="machine-password", 243 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 244 245def test_eap_teap_eap_mschapv2_user_and_machine_seq1(dev, apdev): 246 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (seq1)""" 247 check_eap_capa(dev[0], "TEAP") 248 check_eap_capa(dev[0], "MSCHAPV2") 249 params = int_teap_server_params(eap_teap_id="5", 250 eap_teap_method_sequence="1") 251 hapd = hostapd.add_ap(apdev[0], params) 252 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 253 anonymous_identity="TEAP", 254 machine_identity="machine", machine_password="machine-password", 255 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 256 257def test_eap_teap_eap_mschapv2_user_and_machine_fail_user(dev, apdev): 258 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail user)""" 259 check_eap_capa(dev[0], "TEAP") 260 check_eap_capa(dev[0], "MSCHAPV2") 261 params = int_teap_server_params(eap_teap_id="5") 262 hapd = hostapd.add_ap(apdev[0], params) 263 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", 264 anonymous_identity="TEAP", 265 machine_identity="machine", machine_password="machine-password", 266 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 267 expect_failure=True) 268 269def test_eap_teap_eap_mschapv2_user_and_machine_fail_machine(dev, apdev): 270 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail machine)""" 271 check_eap_capa(dev[0], "TEAP") 272 check_eap_capa(dev[0], "MSCHAPV2") 273 params = int_teap_server_params(eap_teap_id="5") 274 hapd = hostapd.add_ap(apdev[0], params) 275 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 276 anonymous_identity="TEAP", 277 machine_identity="machine", 278 machine_password="wrong-machine-password", 279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 280 expect_failure=True) 281 282def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev): 283 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)""" 284 check_eap_capa(dev[0], "TEAP") 285 check_eap_capa(dev[0], "MSCHAPV2") 286 params = int_teap_server_params(eap_teap_id="5") 287 hapd = hostapd.add_ap(apdev[0], params) 288 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 289 anonymous_identity="TEAP", 290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 291 expect_failure=True) 292 293def test_eap_teap_eap_mschapv2_user_and_eap_tls_machine(dev, apdev): 294 """EAP-TEAP with inner EAP-MSCHAPv2 user and EAP-TLS machine credentials""" 295 check_eap_capa(dev[0], "TEAP") 296 check_eap_capa(dev[0], "MSCHAPV2") 297 check_eap_capa(dev[0], "TLS") 298 params = int_teap_server_params(eap_teap_id="5") 299 hapd = hostapd.add_ap(apdev[0], params) 300 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 301 anonymous_identity="TEAP", 302 machine_identity="cert user", 303 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 304 machine_phase2="auth=TLS", 305 machine_ca_cert="auth_serv/ca.pem", 306 machine_client_cert="auth_serv/user.pem", 307 machine_private_key="auth_serv/user.key") 308 309def test_eap_teap_fragmentation(dev, apdev): 310 """EAP-TEAP with fragmentation""" 311 check_eap_capa(dev[0], "TEAP") 312 check_eap_capa(dev[0], "MSCHAPV2") 313 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 314 hapd = hostapd.add_ap(apdev[0], params) 315 eap_connect(dev[0], hapd, "TEAP", "user", 316 anonymous_identity="TEAP", password="password", 317 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 318 fragment_size="100") 319 320def test_eap_teap_tls_cs_sha1(dev, apdev): 321 """EAP-TEAP with TLS cipher suite that uses SHA-1""" 322 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA") 323 324def test_eap_teap_tls_cs_sha256(dev, apdev): 325 """EAP-TEAP with TLS cipher suite that uses SHA-256""" 326 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA256") 327 328def test_eap_teap_tls_cs_sha384(dev, apdev): 329 """EAP-TEAP with TLS cipher suite that uses SHA-384""" 330 run_eap_teap_tls_cs(dev, apdev, "AES256-GCM-SHA384") 331 332def run_eap_teap_tls_cs(dev, apdev, cipher): 333 check_eap_capa(dev[0], "TEAP") 334 tls = dev[0].request("GET tls_library") 335 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"): 336 raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls) 337 params = int_teap_server_params(eap_teap_auth="1") 338 params['openssl_ciphers'] = cipher 339 hapd = hostapd.add_ap(apdev[0], params) 340 eap_connect(dev[0], hapd, "TEAP", "user", 341 anonymous_identity="TEAP", password="password", 342 ca_cert="auth_serv/ca.pem") 343 344def wait_eap_proposed(dev, wait_trigger=None): 345 ev = dev.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10) 346 if ev is None: 347 raise Exception("Timeout on EAP start") 348 if wait_trigger: 349 wait_fail_trigger(dev, wait_trigger) 350 dev.request("REMOVE_NETWORK all") 351 dev.wait_disconnected() 352 dev.dump_monitor() 353 354def test_eap_teap_errors(dev, apdev): 355 """EAP-TEAP local errors""" 356 check_eap_capa(dev[0], "TEAP") 357 check_eap_capa(dev[0], "MSCHAPV2") 358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 359 hapd = hostapd.add_ap(apdev[0], params) 360 361 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 362 scan_freq="2412", 363 eap="TEAP", identity="user", password="password", 364 anonymous_identity="TEAP", 365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 366 wait_connect=False) 367 wait_eap_proposed(dev[0]) 368 369 tests = [(1, "eap_teap_tlv_eap_payload"), 370 (1, "eap_teap_process_eap_payload_tlv"), 371 (1, "eap_teap_compound_mac"), 372 (1, "eap_teap_tlv_result"), 373 (1, "eap_peer_select_phase2_methods"), 374 (1, "eap_peer_tls_ssl_init"), 375 (1, "eap_teap_session_id"), 376 (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"), 377 (1, "eap_peer_tls_encrypt"), 378 (1, "eap_peer_tls_decrypt"), 379 (1, "eap_teap_getKey"), 380 (1, "eap_teap_session_id"), 381 (1, "eap_teap_init")] 382 for count, func in tests: 383 with alloc_fail(dev[0], count, func): 384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 385 scan_freq="2412", 386 eap="TEAP", identity="user", password="password", 387 anonymous_identity="TEAP", 388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 389 wait_connect=False) 390 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") 391 392 tests = [(1, "eap_teap_derive_eap_msk"), 393 (1, "eap_teap_derive_eap_emsk"), 394 (1, "eap_teap_write_crypto_binding"), 395 (1, "eap_teap_process_crypto_binding"), 396 (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"), 397 (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"), 398 (1, "eap_teap_derive_imck")] 399 for count, func in tests: 400 with fail_test(dev[0], count, func): 401 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 402 scan_freq="2412", 403 eap="TEAP", identity="user", password="password", 404 anonymous_identity="TEAP", 405 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 406 wait_connect=False) 407 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") 408 409def test_eap_teap_errors2(dev, apdev): 410 """EAP-TEAP local errors 2 (Basic-Password-Auth specific)""" 411 check_eap_capa(dev[0], "TEAP") 412 check_eap_capa(dev[0], "MSCHAPV2") 413 params = int_teap_server_params(eap_teap_auth="1") 414 hapd = hostapd.add_ap(apdev[0], params) 415 416 tests = [(1, "eap_teap_process_basic_auth_req")] 417 for count, func in tests: 418 with alloc_fail(dev[0], count, func): 419 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 420 scan_freq="2412", 421 eap="TEAP", identity="user", password="password", 422 anonymous_identity="TEAP", 423 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 424 wait_connect=False) 425 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") 426 427 tests = [(1, "eap_teap_derive_imck")] 428 for count, func in tests: 429 with fail_test(dev[0], count, func): 430 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 431 scan_freq="2412", 432 eap="TEAP", identity="user", password="password", 433 anonymous_identity="TEAP", 434 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 435 wait_connect=False) 436 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") 437 438def test_eap_teap_eap_vendor(dev, apdev): 439 """EAP-TEAP with inner EAP-vendor""" 440 check_eap_capa(dev[0], "TEAP") 441 check_eap_capa(dev[0], "VENDOR-TEST") 442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 443 hapd = hostapd.add_ap(apdev[0], params) 444 eap_connect(dev[0], hapd, "TEAP", "vendor-test-2", 445 anonymous_identity="TEAP", 446 ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST") 447 448def test_eap_teap_client_cert(dev, apdev): 449 """EAP-TEAP with client certificate in Phase 1""" 450 check_eap_capa(dev[0], "TEAP") 451 params = int_teap_server_params(eap_teap_auth="2") 452 hapd = hostapd.add_ap(apdev[0], params) 453 454 # verify server accept a client with certificate, but no Phase 2 455 # configuration 456 eap_connect(dev[0], hapd, "TEAP", "user", 457 anonymous_identity="TEAP", 458 client_cert="auth_serv/user.pem", 459 private_key="auth_serv/user.key", 460 ca_cert="auth_serv/ca.pem") 461 dev[0].dump_monitor() 462 res = eap_reauth(dev[0], "TEAP") 463 if res['tls_session_reused'] != '1': 464 # This is not yet supported without PAC. 465 logger.info("EAP-TEAP could not use session ticket") 466 #raise Exception("EAP-TEAP could not use session ticket") 467 468 # verify server accepts a client without certificate 469 eap_connect(dev[1], hapd, "TEAP", "user", 470 anonymous_identity="TEAP", password="password", 471 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") 472