WinXP+PEAP+Cert Behavior

Bryan Kadzban bryan at kadzban.is-a-geek.net
Wed Nov 29 23:17:00 EST 2006 

Benn wrote:
> I'm trying to take advantage of the WindowsXP Zero Configuration

I assume you're connecting to hostapd then, right?  Which RADIUS server?

> What I /expect/ might work, is to use a server certificate signed by 
> a previously accepted CA (you know, like Verisign or some such).

Well, yes, the cert has to be signed by a CA whose cert is in the
"trusted root store".  But by default the WZC stuff is *also* set to
"validate server certificate" and no CAs selected, so by default no
certs are trusted.  So by default it won't talk to any RADIUS server.

The "validate server certificate" setting is a way to make the client do
its inner MSCHAPv2 exchange with only trusted RADIUS servers.  If the
client connected to somebody else's AP, then it's possible that the
user's password could be revealed by the inner authentication exchange
(the MSCHAPv2 one in a PEAP-MSCHAPv2 setup), because the RADIUS server
isn't really the right one.

But if you turn on the "validate" setting, then the client makes sure
the RADIUS server's cert is signed by whichever CA(s) you put a check
mark next to in the list.  So you're supposed to make sure nobody else
can get a cert for their RADIUS server from that CA.  (Actually I think
it's more likely to be used with "internal" CAs that are set up by a
single organization.  It's probably not for CAs like Verisign, because
they'll sell a cert to almost anybody.)

> I haven't been able to establish exactly what authentication policy
> the XP machine is using, but it's definitely sending out some kind of
> packets.

Is hostapd logging these packets?  ;-)

In any case, I'd check the "validate server cert" settings.  It's in the
WZC setup dialog, under where you choose the authentication type as PEAP
(there's an "advanced" button or something like that, that will bring up
another dialog).  Either turn off validation if you don't care about
letting your clients talk to random RADIUS servers, or make sure the CA
that signed your RADIUS server's cert is checked.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20061129/3d6f1184/attachment.pgp

More information about the HostAP mailing list