HostAPd WPA Enterprise fails on Windows 10

Thomas d'Otreppe tdotreppe at
Tue Dec 13 09:09:40 PST 2016

If you want to reproduce it, you can simply either install Kali on a
system (or use a prebuilt VM) and install HostAPd-WPE: apt-get install
I used the default config and an ath9k_htc device (TP-Link TL-WN722N
to be precise) if that matters.

I copied the log on pastebin:

Kali is using OpenSSL 1.0.2j from Debian.


On Tue, Dec 13, 2016 at 5:09 AM, Jouni Malinen <j at> wrote:
> On Mon, Dec 12, 2016 at 05:23:50PM -0500, Thomas d'Otreppe wrote:
>> I have been playing with Hostapd patched for WPE on Kali. It is a
>> patch to make HostAPd (2.6) an Enterprise AP and accept and log all
>> credentials entered.
>> With a stock configuration, it works just fine on most OSes (tested:
>> Ubuntu 16.04, 16.10, iOS 10.1 and 10.2) but Windows 10 (14393) fails
>> without much explanation. However, in a set-up where HostAPd forwards
>> the request to Freeradius 3.0.12, it works just fine with Windows 10.
> I'm not sure whether WPE patches could have had an impact there, but I
> cannot reproduce PEAP/MSCHAPv2 authentication issue between Windows 10
> station and hostapd as the AP and EAP authentication server. This was
> with the current hostapd snapshot (but there should not really be
> changes between 2.6 and this for the relevant parts) and with OpenSSL
> 1.0.2j.
>> To summarize the ticket, by enabling debug (-d) when running hostapd,
>> it seems like it is failing right before switching to Phase 2. It
>> doesn't seem to get the data for phase 2 correctly as you can see in
>> the log excerpt in the ticket.
> There is not enough context in that log to be able to tell what
> happened.
>> According to some forums, Windows might have had some issue with TLS
>> v1.2 so I tried to recompile with TLS v1.2 disabled but it still
>> failed (and also tried disabling also v1.1, no success). I also tried
>> latest hostapd git from a day or 2 ago and the problem still persists.
> Which OpenSSL version are you using?
>> If needed, I kept the success and failure logs and I can send them for analysis.
> Yes, I'd need to see the full failure log to be able to say much more
> than that since this works fine in my tests.
> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list