WinXP+PEAP+Cert Behavior

Benn bb.hostap at magitech.org
Thu Nov 30 00:11:52 EST 2006 

Hi Bryan, thanks for the details.  I admit right off that I'm asking prior to doing sufficent groundwork, so I apologize in advance.

On Wed, Nov 29, 2006 at 11:17:00PM -0500, Bryan Kadzban wrote:
> Benn wrote:
> > I'm trying to take advantage of the WindowsXP Zero Configuration
> 
> I assume you're connecting to hostapd then, right?  Which RADIUS server?

I've been fiddling with freeradius, to date.

> > What I /expect/ might work, is to use a server certificate signed by 
> > a previously accepted CA (you know, like Verisign or some such).
> 
> Well, yes, the cert has to be signed by a CA whose cert is in the
> "trusted root store".  But by default the WZC stuff is *also* set to
> "validate server certificate" and no CAs selected, so by default no
> certs are trusted.  So by default it won't talk to any RADIUS server.

Thanks for the well crafted answer, that was basically what I expected to hear, but was hoping otherwise :)  The interesting thing is, the client is definitely sending out some kind of packet which gets turned into a request to the radius server:

<<HOSTAPD
   IEEE 802.1X: 9 bytes from 00:13:d3:6f:b1:4e
      IEEE 802.1X: version=1 type=0 length=5
      EAP: code=2 identifier=1 length=5 (response)
   ath0: STA 00:13:d3:6f:b1:4e IEEE 802.1X: received EAP packet (code=2 id=1 len=5) from STA: EAP Response-Identity (1)
   ath0: STA 00:13:d3:6f:b1:4e IEEE 802.1X: STA identity ''
   IEEE 802.1X: 00:13:d3:6f:b1:4e BE_AUTH entering state RESPONSE

It gets packaged up to the radius server, which says:

<<FREERADIUS
   rad_recv: Access-Request packet from host 127.0.0.1:32771, id=1, length=140
           User-Name = ""
           NAS-IP-Address = 127.0.0.1
           NAS-Port = 0
           Called-Station-Id = "00-14-6C-A2-85-F8:test00"
           Calling-Station-Id = "00-13-D3-6F-B1-4E"
           Framed-MTU = 1400
           NAS-Port-Type = Wireless-802.11
           Connect-Info = "CONNECT 11Mbps 802.11b"
           EAP-Message = 0x0201000501
           Message-Authenticator = 0x533dd02e9989488687e022432e064d03

Now, ideally I would somehow encourage the radius server to send back a "yup, all good" reply (or modify the internal-to-hostapd radius server to do the same), hostapd would consider everything kosher, and we'd be off.

> Is hostapd logging these packets?  ;-)

See above :)

> In any case, I'd check the "validate server cert" settings.  It's in the

Any other day, that'd probably be perfect.  The operational requirements however are "0 user input".  Cheatings acceptable, fractured security is even somewhat acceptable, as long as the traffic is not directly sniffable, or so the management says.

/I'd/ still like it as secure as possible, however.

Comments?
--Benn

More information about the HostAP mailing list