Authenticating ...
 

Documentation

Contents

Fixed configurations
Setting up your personal profile (My profile)
Customised tests (My tests)
Personal certificates for EAP-TLS (My certificates)
Defining devices (My devices)
Viewing devices (Public devices)

You can use EAPlab without any registration. We do not request any personal data however you can save your name or a nickname, which will be displayed of LAB pages.

The only reason why we require you to log in is to set up your working environment and save it for your later use.

User accounts which have not been used for over 6 months will be deleted.

User account is recognised by the unique identifier assigned by Google login.

EAPlab provides you with a user-friendly RADIUS environment plus some preconfigured installers.

Fixed configurations

This is the simplest way to use EAPlab, but also one which does not provide many testing scenarios. You can access our preconfigured RADIUS servers with one username which is common to all. This is mainly useful if you want to test a new device or supplicant software and make sure that it will properly connect when the RADIUS server work correctly. These configurations will not allow you to test how the device will behave when something unexpected happens, like when the server certificate sent by the network does not match the one you have configured on your device. To test such situations you need more customisation, which is provided by other areas of the LAB.

Together with these RADIUS configurations you can also test CAT installers, in particular the generic XML profiles. The servers support a number of EAP methods. The normal CAT setup would be to pick the best EAP method for a given device, to make sure that a maximum variety of devices are supported. This is the best approach to support users, but can be misleading when testing, therefore for EAPlab we have selected another approach. A number of configuration sub-profiles are defined, each supporting just one EAP method. This way you will be sure which EAP method gets configured on your device, or an installer will not be available if a given EAP method is not supported.

Customised tests (My tests)

When you access the EAPlab management interface (label My tests), you can decide how the RADIUS server will behave when you connect as your_username@your_realm.supplicants.net. You may use whatever outer identity you like, as long as it is in the same realm.

You can select RADIUS server implementation either FreeRADIUS or Radiator. The main difference between the two is that Radiator supports EAP-FAST.

Next to each test name there is a more info link which tells you more about what a given RADIUS configuration does, and also allows you to see and download the server certificate corresponding to a given test.

There are four buttons allowing you to look at the server side. Going from left to right, the buttons give you: last authentication within the last 10 minutes; all authentications within the last 10 minutes; all authentications in the current day; download of the debug output from the last 3 minutes. The packet views for FreeRADIUS currently do not show the Access-Challenge packets, if you want to study them, you need to look at the debug output. In packet view you can quicly recognise how each exchange has ended, Access-Accept packets are on the green background, and Access-Rejects on dark red. Packet view is convenient for quick browsing but if you want to keep results for future reference, you can download a simplified text version using a link on the bottom of the view.

We strongly recommend that you use the devices facility, in fact, we think it is so important, that we nag you if you have not set any device. If you have a device set, then next to each test you will also see a device test comments link. The link may be in one of the three colours: blue, orange or green. The blue ones are those that you have not touched, i.e. have not saved any results, the green ones are the ones that you have marked as complete while the orange ones have some saved data but have not been marked as complete therefore you are probably working on them. Making comments is hopefully self-explanatory. While in the comments window you can navigate to next or previous test. This will also switch the RADIUS setting, so that you can easily go through the entire sequence, start from the first test, make comments, click for the next one test again etc.

Test selection

You can select from:
default configuration
Configuration matching default settings. These settings are reflected in the CAT profiles. Server certificate has all extensions which may be required by known supplicants. Server certificate subject CN is radius.supplicants.net. SubjectAltName is set to DNS:radius.supplicants.net.
immediate Access-Reject
Server sends an immediate Access-Reject without any EAP conversation. This may simmulate two situations. One when the server rejects after seeing an unknown username in the outer identity, the other when one of the servers in the proxy chain does not respond and a proxy replies with a reject. Since the NAS will always receive an Access-Reject, there is no possibility for the client to connect, therefore this test is designed to verify client's behaviour in this situations.
Access-Reject after EAP conversation (default CA)
Server sends an Access-Reject after EAP converstaion. This simmulates invalid credentials in the inner tunnel. Since the NAS will always receive an Access-Reject, there is no possibility for the client to connect, therefore this test is designed to verify client's behaviour in this situations. The most natural behaviour is to prompt the user for the password, however the client MUST not forget credentials if the user does not perform any action.
No reply
The server does not respond. Simmulates a connection problem in the infrastructure.
No EAP match
The server implements only EAP-GTC without the TLS tunnel. Since this method is unsuitable for WiFi one can suspect that no supplicant will agree to negotiate this with the server.
default CA, correct name in the subject, no subjectAltName
The CN value in the subject of the server certificate is correct, no subjectAltName is present in the certificate.
default CA, different name in the subject, no subjectAltName
This configuration differs from the default one by the CN in the server certificate. Server certificate subject CN is radiusbad.supplicants.net. no SubjectAltName.
default CA, different name in the subject, correct name in subjectAltName
In this configuration the name of the server has been changed in the CN of the server certificate subject, but a correct name is present in subjectAltName. The authentication result may vary between supplicants.
default CA, correct name in the subject, different name in subjectAltName
The CN value in the subject of the server certificate is correct, but the subjectAltName contains one name and it is different from the expected server name. If the supplicants consults both the subject and subjectAltName it should pass.
default CA, correct name in subjectAltName, subject empty
Subject of the certificate is empty, but altSubjectName carries the proper name which should be sufficient for supplicants to succeed.
default CA, different name in subjectAltName, subject empty
Subject of the certificate is empty and altSubjectName carries a wrong name which should be sufficient for supplicants to fail.
default CA, certificate without the CRL pointer
Server certificate does not provide a Certificate Revocation List pointer. Some supplicants require that, but the usefullness of this requirement is doubtfull.
default CA, no CA:FALSE in server certificate extensions
Server certificate extensions does not have the recommended CA:FALSE setting
default CA, certificate listed on the CRL
The server certificate has all expected elements but is listed on the CA's revocation list
default CA, expired certificate
Server presents an expired certificate from the correct CA.
Server sending root CA cert
Server cert signed with SHA-1
All other certificates in EAPlab are signed using SHA-256, this one is SHA-1 to test if supplicants accept the weaker signature.
Server cert's subject with multiple CNs
This server certificate contains two CN fields, which may confuse supplicants
Server with a wildcard cert
The server certificate is a wildcard type (both CN in the subject and SubjectAltName), some reports indicate that certain supplicants reject that. Important. CAT profiles generated automatically set server name to radius.supplicants.net, for this profile to work with the wildcard certificate, it may be necessary to manually add *.supplicants.net as an accepted name in the profile, at least Windows will require that.
Server with multiple sANs and incorrect subject CN
The server certificate has an incorrect name in the subject and several SubjectAltName values (including the correct DNS:radius.supplicants.net).
certificate from another CA
This configuration differs from the default one by the root CA in the server verification path. Server certificate has all extensions which may be required by known supplicants.
Server with duplicate another CA cert
Server with multiple sANs and correct subject CN
The server certificate has a correct name in the subject two SubjectAltName values (DNS:radius.supplicants.net, DNS:*.supplicants.net).

Setting up your personal profile (My profile)

On this page you need to provide information which will be necessary to create your testing environment. You will be able to change any of the fields at any moment. Your account is connected to the identifier passed by Google, all other data comes from you an can be changed at will. The configuration form is self-explanatory.

After saving the information a RADIUS realm will be generated for you and this is the one element that you cannot change. The complete RADIUS username will be communicated to you. When you click Continue you will be returned to Update configuration form where you can make any corrections but more importantly you will be given a possibility to generate CAT profiles for your new configuration.

CAT profiles

For your convenience two CAT IdPs are created with the following names:

  • Single CA
  • CA chain

Your user account will be set as CAT administrator for these IdPs.

For each of these IdPs several profiles will be created - one for each supported EAP type:

  • TTLS-PAP
  • TTLS-MSCHAPv2
  • PEAP-MSCHAPv2
  • EAP-PWD
  • TLS

and additional Custom profile, which is not production ready (therefore will not be seen in the downloads, until you enable it). This profile is meant as a playground. We suggest the you do not modify the preset profiles unless you really know what you are doing. You can view and modify the profiles using the standard CAT admin interface. If you really mess up your configuration then you can always delete a whole IdP and both My profile and My tests screens will give you an option to recreate it from scratch.

Personal certificates for EAP-TLS (My certificates)

This section allows you to handle personal certificates, which can be used to test EAP-TLS. The certificates are provided by a separate EAPlab CA and are distributed in the form of PFX (P12) file containing user's certificate, user's private key, and the Certificate Authority certificate. Apple systems treat such user's certificate as untrusted, therefore signed CAT profiles supplied by CAT should also contain that the user's CA certificate just to validate the origin of the personal certificate.

Personal certificates are protected with a separate password. We do not want to use your profile password, since you might want to change that, but the passwords for the files, which you have previously downloaded, would not change. Therefore you can set a separate password for each certificate file, and these passwords are shown to you next to the download links. Remember that EAPlab is for testing ant for providing secure credentials, therefore we do not worry about the passwords being somewhat exposed.

A personal certificate file is valid form one year, if you generate a new file, the old one gets overwritten.

You can generate three types of personal certificates:

certificate subject CN equal to the EAP usernname
Such a certificate is normally the easiest to handle. Most supplicants extract the EAP username from the CN in the subject and the connection is quite automatic.
certificate subject CN not equal to the EAP username
The supplicant cannot base the EAP username on the contents of the subject CN, therefore there should be a way of specifying one. This certificate will allow you to test that supplicants work correctly also in these cases.
EAP username in the certificate email, while CN not equal to the EAP username
While the username cannot be extracted form the CN, it could, in principle be extracted form the email and prompted within the supplicant. This could be helpful for site which want to use general-purpose personal certificates.

Defining devices (My devices)

This section is designed to help you with keeping track of the tests you make and also allows you to publish the results, so that other EAPlab users can see them.

We use the notion of a device which may be misleading, since by a device we really mean a .1X supplicant, but in reality you may find it more natural to thing that you are testing a particular type of a phone, rather then the supplicant that is provided with it. Anyway, this is a name we have chosen and hope that it is not going to bee too painful to the users.

When defining a new device you just give it a name and a description. Other users may choose the same name, you might want to consult the Public devices section to see what others have done (and made public). You may decide to make the device public - if you do so then all test results you have saved will be also visible by others. You may decide to change your mind at any time and make the device private again.

Setting a device as selected is important, as this will be the one for which you can make notes in the My tests section of EAPlab. If you want to start testing another device, you need to go to the My devices section and select another device.

If you delete a device, also all tests results for this device are lost, therefore use this option carefully.

Viewing devices (Public devices)

This section allows you to see a condensed view of all public devices in the system (including your own). By clicking on each of the devices you can see a summary of tests results and go to detailed results for each tests. If you wonder where the test results came form, read the My tests section.