Does wpa supplicant version 0.6.4 support Windows Server 2008NAP IEEE802.1X Enforcement ?
Tomonari Yoshimura
yosimura
Tue Sep 30 21:37:24 PDT 2008
Thank you for your assistance.
The debug log messages of wap supplicant with our debug messages (### TEST9 ###) are shown below.
If you find any issues, could you please let us know ?
Could you send us the debug log messages you tested wpa supplicant with Windows XP SP3,
if possible ?
(1) Receiving SoH Request from Server (Windows Server 2008).
### TEST9 ### : SoH Request Received from Server.
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=20): fe 00 01 37 00 00 00 21 00 07 00 08 00 00 01 37 00 02 00 00
(2) SoH TLV is generated and sent back to Server.
### TEST9 ### SoH TLV is generated. (we use dummy correlationId)
EAP-PEAP: Encrypting Phase 2 data - hexdump(len=113): 02 08 00 71 fe 00 01 37 00 00 00 21 00 07 00 61 00 00 01 37 00 01 00 59 00 07
00 55 00 00 01 37 00 02 00 4d 00 07 00 1e 00 00 01 37 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 01 00
00 02 00 04 00 01 37 00 00 07 00 1f 00 00 01 37 03 11 06 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(3) Server sends EAP Authentication failure as a response.
RX EAPOL - hexdump(len=46): 01 00 00 04 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00
EAP: Received EAP-Failure
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Windows Server 2008 NPS event log shows
?ReasonCode 300
?Reason: No authentication information available in the Security Package.
We checked tncc_build_soh() in src/eap_peer/tncc.c and Microsoft specifications
[MS-PEAP] and [MS-SOH], but we cannot find the cause of the error.
Thanks,
Yoshi
-----Original Message-----
From: hostap-bounces at lists.shmoo.com [mailto:hostap-bounces at lists.shmoo.com] On Behalf Of Jouni Malinen
Sent: Tuesday, September 30, 2008 3:47 PM
To: hostap at lists.shmoo.com
Subject: Re: Does wpa supplicant version 0.6.4 support Windows Server 2008NAP IEEE802.1X Enforcement ?
On Tue, Sep 30, 2008 at 12:39:29PM +0900, Tomonari Yoshimura wrote:
> I tried to test Microsoft NAP IEEE802.1x Enforcement using wpa
> supplicant version 0.6.4 eap_peap as a peer and Microsoft Windows Server 2008 as an NPS.
I don't have Windows Server 2008 and have only tested this indirectly by implementing server side in hostapd and testing it with
Windows XP SP3 supplicant and then verifying that wpa_supplicant works with the same server implementation, too. In other words,
most of the basic implementation is there, but it has not been fully validated. In addition, please not that the SoH that is sent as
a reply does not contain all the information and some of the (possibly required) fields do not make much sense on non-Windows
platforms.
> However the EAP PEAP sequence stops just after sending SoH TLV from
> Peer to Server, as a response to SoH Request TLV from Server.
If you can get debug log from the server (I would hope it is available in the event log), it would be interesting to see what the
server said as a reason for rejecting the packet (I would assume it is the server rejecting the SoH). You can see the TODO comments
in src/eap_peer/tncc.c
tncc_build_soh() function for number of fields. Some of these fields are likely required, so at minimum, some dummy values could be
needed to make the server accept the SoH.
I did not complete the implementation since I didn't have the Microsoft server to test against. I would hope that the remaining
parts are quite minimal if a suitable server is available for testing.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
More information about the Hostap
mailing list