On Thu, Dec 15, 2016 at 02:30:47PM -0500, Thomas d'Otreppe wrote: > I managed to get good captures and I hope it helps figuring out what > is going on. I used the same certs for both Freeradius and HostAPd > which are included in the archive. > > I filtered out unnecessary packets and added the challenge/response > file from freeradius as well as pcap from the wired side and the > wireless side (the secret between the AP and Freeradius is > testing123). For HostAPd, I have a wifi capture only (obviously) and > the full debug output: > http://www2.aircrack-ng.org/win10_hostapd_failure_dec2016.tar.gz Unfortunately, win10_hostapd_failure_dec2016/hostapd/hostapd.pcap misses the two key EAP messages that are the ones that follow the Windows 10 supplicant sending an unexpected fragment ACK. That said, there are some differences in behavior between the FreeRADIUS and hostapd as authentication server cases. FreeRADIUS advertises highest supported PEAP version to 0 while hostapd advertises support for version 1 (i.e., both versions 0 and 1). I'm also questioning whether you really used the same server certificate in the tests.. Was that supposed to be win10_hostapd_failure/dec2016/cert/server.pem? That has CN=Example Server Certificate while the FreeRADIUS capture log showed the server certificate with CN=kali. The key difference here is that the cert/server.pem uses MD5 in the signature algorithm (md5WithRSAEncryption) while the FreeRADIUS CN=kali certificate uses SHA256. I was able to reproduce the strange Windows 10 behavior with an unexpected fragment ACK when using a server certificate with md5WithRSAEncryption. I'd assume rejecting the connection is by design due to security issues related to MD5 use as a signature algorithm. If you can reproduce this with SHA256-based certificate from the hostapd server, I'd be interested in a more complete packet capture that shows the two key EAP-Request messages that are missing from hostapd.pcap. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
