Skip to content

teap: improve debugging when supplicant returns failure#5827

Open
jimdigriz wants to merge 2 commits intoFreeRADIUS:v3.2.xfrom
jimdigriz:teap
Open

teap: improve debugging when supplicant returns failure#5827
jimdigriz wants to merge 2 commits intoFreeRADIUS:v3.2.xfrom
jimdigriz:teap

Conversation

@jimdigriz
Copy link
Copy Markdown
Contributor

@jimdigriz jimdigriz commented Apr 17, 2026
edited
Loading

When the supplicant responses with a TLV-Result (or Intermediate-Result) of 'Fail' there is no debugging at all emitted around what the TEAP payload included.

We carefully change eap_teap_verify to respond instead of with 'reject' and 'ok', to also provide 'reject but it is safe to decode for debugging'.

The top half of eap_teap_verify falls very much into the "this packet is bad, do not touch it" whilst the second half is state orientated so safe to emit debugging on so split on this with the reason code to determine when to emit more detailed debugging.

Failure result errors from the supplicant used to read as:

(14) eap: Peer sent packet with method EAP TEAP (55)
(14) eap: Calling submodule eap_teap to process data
(14) eap_teap: Authenticate
(14) eap_teap: (TLS) EAP Done initial handshake
(14) eap_teap: Session established.  Proceeding to decode tunneled attributes
(14) eap_teap: ERROR: Phase 2: Received Result TLV from peer which indicates failure with error 2002.  Rejecting request.
(14) eap: ERROR: Failed continuing EAP TEAP (55) session.  EAP sub-module failed
(14) eap: Sending EAP Failure (code 4) ID 203 length 4

Now they read:

(14) eap: Peer sent packet with method EAP TEAP (55)
(14) eap: Calling submodule eap_teap to process data
(14) eap_teap: Authenticate
(14) eap_teap: (TLS) EAP Done initial handshake
(14) eap_teap: Session established.  Proceeding to decode tunneled attributes
(14) eap_teap: ERROR: Phase 2: Received Result TLV from peer which indicates failure with error 2002.  Rejecting request.
(14) eap_teap: Phase 2: Got Tunneled TEAP TLVs
(14) eap_teap:   FreeRADIUS-EAP-TEAP-Crypto-Binding = 0x000101212039f17ebb4f7dd73e71d33bd299a8683b87914442ceb730ef18f8d41b496585000000000000000000000000000000000000000028b94b4cd9244b949d4fab53afbbd59795f850e0
(14) eap_teap:   FreeRADIUS-EAP-TEAP-Intermediate-Result = Success
(14) eap_teap:   FreeRADIUS-EAP-TEAP-Error = Unexpected-TLVs
(14) eap_teap:   FreeRADIUS-EAP-TEAP-Result = Failure
(14) eap: ERROR: Failed continuing EAP TEAP (55) session.  EAP sub-module failed
(14) eap: Sending EAP Failure (code 4) ID 193 length 4

@jimdigriz jimdigriz force-pushed the teap branch 2 times, most recently from f576835 to e22a436 Compare April 18, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimdigriz