I managed to get good captures and I hope it helps figuring out what is going on. I used the same certs for both Freeradius and HostAPd which are included in the archive. I filtered out unnecessary packets and added the challenge/response file from freeradius as well as pcap from the wired side and the wireless side (the secret between the AP and Freeradius is testing123). For HostAPd, I have a wifi capture only (obviously) and the full debug output: http://www2.aircrack-ng.org/win10_hostapd_failure_dec2016.tar.gz Let me know if there is anymore information that you need. Thanks, Thomas On Tue, Dec 13, 2016 at 4:34 PM, Jouni Malinen <j@xxxxx> wrote: > On Tue, Dec 13, 2016 at 02:37:43PM -0500, Thomas d'Otreppe wrote: >> I think I found it: Application log -> Microsoft -> Windows -> WLAN-AutoConfig. >> >> Here is a log entry (there are more obviously, some with less details): >> >> Wireless 802.1x authentication failed. > >> Reason: Explicit Eap failure received > > That sounds like something that would happen after the real failure > happened, i.e., the AP/Authenticator will eventually send out > EAP-Failure due to unexpected client behavior. The debug log entry for > the real issue could be somewhere since it is really TLS processing that > fails here (or PEAP, if the issue is somehow in fragmentation). I'm not > familiar with Windows 10 implementation, so cannot tell you where to > look for that, though. > >> On Tue, Dec 13, 2016 at 2:30 PM, Thomas d'Otreppe <tdotreppe@xxxxxxxxx> wrote: >> > Yes, I used a completely new profile. I listed all network available, >> > selected my attacker's network and put credentials (login: me, >> > password: password). > > OK, that's exactly what I did and it worked fine.. Windows 10 first > probed the network with host identity and PEAP. That exchange went > through this part of the fragmented certificate frame and was terminated > with TLS alert from Windows 10 ("SSL: SSL3 alert: read (remote end > reported an error):fatal:unknown CA)" in hostapd debug log). This was > then followed with an attempt using the username/password I entered and > that completed PEAP phase 1 and 2 successfully and 4-way handshake went > through as well. > >> > Could you tell me where I can find that debug output? Is there >> > anything I need to filter on? >> > Would a pcap from a separate machine help? > > See above for lack of knowledge on debugging Windows 10.. I think you > mentioned this worked with FreeRADIUS as the authentication server. If > you are using the same server certificate in both cases, it would be > interesting to see PCAP files showing all the EAPOL packets exchanged in > the success and failure cases. > > -- > Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
