Yes, it was due to MD5 certificates. I tested with SHA certs and it worked just fine. I wish Windows would at least tell that it was because of it. Thanks a lot for your help, Thomas On Thu, Dec 15, 2016 at 5:47 PM, Jouni Malinen <j@xxxxx> wrote: > On Thu, Dec 15, 2016 at 02:30:47PM -0500, Thomas d'Otreppe wrote: >> I managed to get good captures and I hope it helps figuring out what >> is going on. I used the same certs for both Freeradius and HostAPd >> which are included in the archive. >> >> I filtered out unnecessary packets and added the challenge/response >> file from freeradius as well as pcap from the wired side and the >> wireless side (the secret between the AP and Freeradius is >> testing123). For HostAPd, I have a wifi capture only (obviously) and >> the full debug output: >> http://www2.aircrack-ng.org/win10_hostapd_failure_dec2016.tar.gz > > Unfortunately, win10_hostapd_failure_dec2016/hostapd/hostapd.pcap misses > the two key EAP messages that are the ones that follow the Windows 10 > supplicant sending an unexpected fragment ACK. > > That said, there are some differences in behavior between the FreeRADIUS > and hostapd as authentication server cases. FreeRADIUS advertises > highest supported PEAP version to 0 while hostapd advertises support for > version 1 (i.e., both versions 0 and 1). > > I'm also questioning whether you really used the same server certificate > in the tests.. Was that supposed to be > win10_hostapd_failure/dec2016/cert/server.pem? That has CN=Example > Server Certificate while the FreeRADIUS capture log showed the server > certificate with CN=kali. > > The key difference here is that the cert/server.pem uses MD5 in the > signature algorithm (md5WithRSAEncryption) while the FreeRADIUS CN=kali > certificate uses SHA256. I was able to reproduce the strange Windows 10 > behavior with an unexpected fragment ACK when using a server certificate > with md5WithRSAEncryption. I'd assume rejecting the connection is by > design due to security issues related to MD5 use as a signature > algorithm. > > If you can reproduce this with SHA256-based certificate from the hostapd > server, I'd be interested in a more complete packet capture that shows > the two key EAP-Request messages that are missing from hostapd.pcap. > > -- > Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
