HostAPd WPA Enterprise fails on Windows 10

Jouni Malinen j at w1.fi
Tue Dec 13 13:34:33 PST 2016 

On Tue, Dec 13, 2016 at 02:37:43PM -0500, Thomas d'Otreppe wrote:
> I think I found it: Application log -> Microsoft -> Windows -> WLAN-AutoConfig.
> 
> Here is a log entry (there are more obviously, some with less details):
> 
> Wireless 802.1x authentication failed.

> Reason: Explicit Eap failure received

That sounds like something that would happen after the real failure
happened, i.e., the AP/Authenticator will eventually send out
EAP-Failure due to unexpected client behavior. The debug log entry for
the real issue could be somewhere since it is really TLS processing that
fails here (or PEAP, if the issue is somehow in fragmentation). I'm not
familiar with Windows 10 implementation, so cannot tell you where to
look for that, though.

> On Tue, Dec 13, 2016 at 2:30 PM, Thomas d'Otreppe <tdotreppe at gmail.com> wrote:
> > Yes, I used a completely new profile. I listed all network available,
> > selected my attacker's network and put credentials (login: me,
> > password: password).

OK, that's exactly what I did and it worked fine.. Windows 10 first
probed the network with host identity and PEAP. That exchange went
through this part of the fragmented certificate frame and was terminated
with TLS alert from Windows 10 ("SSL: SSL3 alert: read (remote end
reported an error):fatal:unknown CA)" in hostapd debug log). This was
then followed with an attempt using the username/password I entered and
that completed PEAP phase 1 and 2 successfully and 4-way handshake went
through as well.

> > Could you tell me where I can find that debug output? Is there
> > anything I need to filter on?
> > Would a pcap from a separate machine help?

See above for lack of knowledge on debugging Windows 10.. I think you
mentioned this worked with FreeRADIUS as the authentication server. If
you are using the same server certificate in both cases, it would be
interesting to see PCAP files showing all the EAPOL packets exchanged in
the success and failure cases.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list