G
Guest
Guest
Archived from groups: microsoft.public.win32.programmer.networks,microsoft.public.internet.radius,microsoft.public.windows.networking.wireless (More info?)
Howdy,
I am writing an 802.1x wireless client program that will (I hope) support
authentication using PEAP/MSCHAPV2 authentication. I have a question, but
first please let me tell you where I am, then I will state my question:
I have a complete phase 1 of PEAP and have a working TLS tunnel. Through
this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight byte server
challenge.
I then construct the 49 byte client response per the MSCHAP specficiation.
I think my basic crypto code is correct, because when I run the test vectors
that are included with the open source WPA_Supplicant program I get the same
results.
When I send me response the servers always respond with EAP-Failure. The
open source Hostapd server complains about a bad TLS mac.
When I use Ethereal to compare what I send with what Windows Zero Conf (WZC)
AND WPA_Supplicant send there are noticable differences as follows:
1) WZC sends one EAP packet containing one TLS application data packet with
a byte payload.
2) WPA_Supplicant sends one EAP packet which contains two TLS application
data packets, one 38 bytes long, the second being 48 bytes long.
3) My client sends one EAP packet with one TLS application data packet with
a 66 byte payload which contains the 49 byte CHAP response packet (RFC 2759,
para 4).
My question is this:
The MSCHAP response to the server challenge is the 49 byte structure defined
in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant respond to the
MSCHAPV2 server challenge message with an initial TLS Applciation data
packet that is smaller than the 49 byte client response message?
Jim Howard
jim [at] grayraven [dot] com
Howdy,
I am writing an 802.1x wireless client program that will (I hope) support
authentication using PEAP/MSCHAPV2 authentication. I have a question, but
first please let me tell you where I am, then I will state my question:
I have a complete phase 1 of PEAP and have a working TLS tunnel. Through
this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight byte server
challenge.
I then construct the 49 byte client response per the MSCHAP specficiation.
I think my basic crypto code is correct, because when I run the test vectors
that are included with the open source WPA_Supplicant program I get the same
results.
When I send me response the servers always respond with EAP-Failure. The
open source Hostapd server complains about a bad TLS mac.
When I use Ethereal to compare what I send with what Windows Zero Conf (WZC)
AND WPA_Supplicant send there are noticable differences as follows:
1) WZC sends one EAP packet containing one TLS application data packet with
a byte payload.
2) WPA_Supplicant sends one EAP packet which contains two TLS application
data packets, one 38 bytes long, the second being 48 bytes long.
3) My client sends one EAP packet with one TLS application data packet with
a 66 byte payload which contains the 49 byte CHAP response packet (RFC 2759,
para 4).
My question is this:
The MSCHAP response to the server challenge is the 49 byte structure defined
in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant respond to the
MSCHAPV2 server challenge message with an initial TLS Applciation data
packet that is smaller than the 49 byte client response message?
Jim Howard
jim [at] grayraven [dot] com