HostAPd WPA Enterprise fails on Windows 10

Thomas d'Otreppe tdotreppe at gmail.com
Tue Dec 13 11:37:43 PST 2016 

I think I found it: Application log -> Microsoft -> Windows -> WLAN-AutoConfig.

Here is a log entry (there are more obviously, some with less details):

Wireless 802.1x authentication failed.

Network Adapter: Intel(R) Dual Band Wireless-AC 3165
Interface GUID: {XXXXXX-XX-XXXX-XXXX-XXXXXX}
Local MAC Address: 08:D4:0C:XX:XX:XX
Network SSID: hostapd-wpe
BSS Type: Infrastructure
Peer MAC Address: C4:E9:84:XX:XX:XX
Identity: me
User: project
Domain: XXXXXXXX
Reason: Explicit Eap failure received
Error: 0x0
EAP Reason: 0x0
EAP Root cause String:
EAP Error: 0x0


On Tue, Dec 13, 2016 at 2:30 PM, Thomas d'Otreppe <tdotreppe at gmail.com> wrote:
> Yes, I used a completely new profile. I listed all network available,
> selected my attacker's network and put credentials (login: me,
> password: password).
>
> Could you tell me where I can find that debug output? Is there
> anything I need to filter on?
> Would a pcap from a separate machine help?
>
>
> Thomas
>
>
> On Tue, Dec 13, 2016 at 1:35 PM, Jouni Malinen <j at w1.fi> wrote:
>> On Tue, Dec 13, 2016 at 12:09:40PM -0500, Thomas d'Otreppe wrote:
>>
>>> I used the default config and an ath9k_htc device (TP-Link TL-WN722N
>>> to be precise) if that matters.
>>>
>>> I copied the log on pastebin: http://pastebin.com/jwtn1TWN
>>
>> So the failure happens when the server needs to fragment a long TLS
>> message (the one that includes the certificate chain from the server).
>> For some reason, the Windows 10 supplicant seems to send out an extra
>> fragment ACK (an empty EAP-PEAP message) after the full fragmented frame
>> has been sent out. In my earlier test, I used a shorter certificate and
>> there was no fragmentation, but I now confirmed that even the fragmented
>> case works fine for me with Windows 10 as the client.
>>
>> Did you use a completely new network profile on Windows 10, i.e.,
>> something that has not connected to any other authentication server
>> before? I'm not sure what type of validation steps are performed at
>> this step, but if the client has means for verifying that the server
>> certificate is trusted or known, it could stop authentication here.
>>
>> In any case, it sounds like someone would need to get debug output from
>> Windows 10 to figure out why it either rejects the message from the
>> server (though, uses a bit strange message for doing so, i.e., an empty
>> message instead of TLS alert or disconnection) or why it thinks there is
>> still some fragments coming up.
>>
>> --
>> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list