HostAPd WPA Enterprise fails on Windows 10

Thomas d'Otreppe tdotreppe at gmail.com
Thu Dec 15 11:30:47 PST 2016 

I managed to get good captures and I hope it helps figuring out what
is going on. I used the same certs for both Freeradius and HostAPd
which are included in the archive.

I filtered out unnecessary packets and added the challenge/response
file from freeradius as well as pcap from the wired side and the
wireless side (the secret between the AP and Freeradius is
testing123). For HostAPd, I have a wifi capture only (obviously) and
the full debug output:
http://www2.aircrack-ng.org/win10_hostapd_failure_dec2016.tar.gz

Let me know if there is anymore information that you need.

Thanks,

Thomas


On Tue, Dec 13, 2016 at 4:34 PM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Dec 13, 2016 at 02:37:43PM -0500, Thomas d'Otreppe wrote:
>> I think I found it: Application log -> Microsoft -> Windows -> WLAN-AutoConfig.
>>
>> Here is a log entry (there are more obviously, some with less details):
>>
>> Wireless 802.1x authentication failed.
>
>> Reason: Explicit Eap failure received
>
> That sounds like something that would happen after the real failure
> happened, i.e., the AP/Authenticator will eventually send out
> EAP-Failure due to unexpected client behavior. The debug log entry for
> the real issue could be somewhere since it is really TLS processing that
> fails here (or PEAP, if the issue is somehow in fragmentation). I'm not
> familiar with Windows 10 implementation, so cannot tell you where to
> look for that, though.
>
>> On Tue, Dec 13, 2016 at 2:30 PM, Thomas d'Otreppe <tdotreppe at gmail.com> wrote:
>> > Yes, I used a completely new profile. I listed all network available,
>> > selected my attacker's network and put credentials (login: me,
>> > password: password).
>
> OK, that's exactly what I did and it worked fine.. Windows 10 first
> probed the network with host identity and PEAP. That exchange went
> through this part of the fragmented certificate frame and was terminated
> with TLS alert from Windows 10 ("SSL: SSL3 alert: read (remote end
> reported an error):fatal:unknown CA)" in hostapd debug log). This was
> then followed with an attempt using the username/password I entered and
> that completed PEAP phase 1 and 2 successfully and 4-way handshake went
> through as well.
>
>> > Could you tell me where I can find that debug output? Is there
>> > anything I need to filter on?
>> > Would a pcap from a separate machine help?
>
> See above for lack of knowledge on debugging Windows 10.. I think you
> mentioned this worked with FreeRADIUS as the authentication server. If
> you are using the same server certificate in both cases, it would be
> interesting to see PCAP files showing all the EAPOL packets exchanged in
> the success and failure cases.
>
> --
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list