HostAPd WPA Enterprise fails on Windows 10

Jouni Malinen j at w1.fi
Thu Dec 15 14:47:44 PST 2016 

On Thu, Dec 15, 2016 at 02:30:47PM -0500, Thomas d'Otreppe wrote:
> I managed to get good captures and I hope it helps figuring out what
> is going on. I used the same certs for both Freeradius and HostAPd
> which are included in the archive.
> 
> I filtered out unnecessary packets and added the challenge/response
> file from freeradius as well as pcap from the wired side and the
> wireless side (the secret between the AP and Freeradius is
> testing123). For HostAPd, I have a wifi capture only (obviously) and
> the full debug output:
> http://www2.aircrack-ng.org/win10_hostapd_failure_dec2016.tar.gz

Unfortunately, win10_hostapd_failure_dec2016/hostapd/hostapd.pcap misses
the two key EAP messages that are the ones that follow the Windows 10
supplicant sending an unexpected fragment ACK.

That said, there are some differences in behavior between the FreeRADIUS
and hostapd as authentication server cases. FreeRADIUS advertises
highest supported PEAP version to 0 while hostapd advertises support for
version 1 (i.e., both versions 0 and 1).

I'm also questioning whether you really used the same server certificate
in the tests.. Was that supposed to be
win10_hostapd_failure/dec2016/cert/server.pem? That has CN=Example
Server Certificate while the FreeRADIUS capture log showed the server
certificate with CN=kali.

The key difference here is that the cert/server.pem uses MD5 in the
signature algorithm (md5WithRSAEncryption) while the FreeRADIUS CN=kali
certificate uses SHA256. I was able to reproduce the strange Windows 10
behavior with an unexpected fragment ACK when using a server certificate
with md5WithRSAEncryption. I'd assume rejecting the connection is by
design due to security issues related to MD5 use as a signature
algorithm.

If you can reproduce this with SHA256-based certificate from the hostapd
server, I'd be interested in a more complete packet capture that shows
the two key EAP-Request messages that are missing from hostapd.pcap.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list