Wireless PEAP/MSCHAPV2 client programming question

Discussion in 'Wireless Networking' started by Jim Howard, Jun 28, 2005.

  1. Jim Howard

    Jim Howard Guest

    Howdy,

    I am writing an 802.1x wireless client program that will (I hope) support
    authentication using PEAP/MSCHAPV2 authentication. I have a question, but
    first please let me tell you where I am, then I will state my question:

    I have a complete phase 1 of PEAP and have a working TLS tunnel. Through
    this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight byte server
    challenge.

    I then construct the 49 byte client response per the MSCHAP specficiation.
    I think my basic crypto code is correct, because when I run the test vectors
    that are included with the open source WPA_Supplicant program I get the same
    results.

    When I send me response the servers always respond with EAP-Failure. The
    open source Hostapd server complains about a bad TLS mac.

    When I use Ethereal to compare what I send with what Windows Zero Conf (WZC)
    AND WPA_Supplicant send there are noticable differences as follows:

    1) WZC sends one EAP packet containing one TLS application data packet with
    a byte payload.
    2) WPA_Supplicant sends one EAP packet which contains two TLS application
    data packets, one 38 bytes long, the second being 48 bytes long.
    3) My client sends one EAP packet with one TLS application data packet with
    a 66 byte payload which contains the 49 byte CHAP response packet (RFC 2759,
    para 4).

    My question is this:

    The MSCHAP response to the server challenge is the 49 byte structure defined
    in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant respond to the
    MSCHAPV2 server challenge message with an initial TLS Applciation data
    packet that is smaller than the 49 byte client response message?

    Jim Howard
    jim [at] grayraven [dot] com
    Jim Howard, Jun 28, 2005
    #1
    1. Advertising

  2. Jim maybe ask ( I believe you have their e-mail ) that from
    open source WPA_Supplicant program guys , btw which one do you use ?
    Arkady

    "Jim Howard" <> wrote in message
    news:uPIIIu$...
    > Howdy,
    >
    > I am writing an 802.1x wireless client program that will (I hope) support
    > authentication using PEAP/MSCHAPV2 authentication. I have a question, but
    > first please let me tell you where I am, then I will state my question:
    >
    > I have a complete phase 1 of PEAP and have a working TLS tunnel. Through
    > this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight byte
    > server challenge.
    >
    > I then construct the 49 byte client response per the MSCHAP specficiation.
    > I think my basic crypto code is correct, because when I run the test
    > vectors that are included with the open source WPA_Supplicant program I
    > get the same results.
    >
    > When I send me response the servers always respond with EAP-Failure. The
    > open source Hostapd server complains about a bad TLS mac.
    >
    > When I use Ethereal to compare what I send with what Windows Zero Conf
    > (WZC) AND WPA_Supplicant send there are noticable differences as follows:
    >
    > 1) WZC sends one EAP packet containing one TLS application data packet
    > with a byte payload.
    > 2) WPA_Supplicant sends one EAP packet which contains two TLS application
    > data packets, one 38 bytes long, the second being 48 bytes long.
    > 3) My client sends one EAP packet with one TLS application data packet
    > with a 66 byte payload which contains the 49 byte CHAP response packet
    > (RFC 2759, para 4).
    >
    > My question is this:
    >
    > The MSCHAP response to the server challenge is the 49 byte structure
    > defined in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant
    > respond to the MSCHAPV2 server challenge message with an initial TLS
    > Applciation data packet that is smaller than the 49 byte client response
    > message?
    >
    > Jim Howard
    > jim [at] grayraven [dot] com
    >
    >
    Arkady Frenkel, Jun 29, 2005
    #2
    1. Advertising

  3. Jim Howard

    Jim Howard Guest

    I've posted several questions on the hostapd/wpa_supplicant mailing list,
    but never get an answer.

    I figured since MSCHAP is a Microsoft protocol, someone on the Ms newsgroups
    might be familar with implementing this protocol.

    I'm writing my own client for a special purpose application, and I use
    windows zero conf and wpa_supplicant as role models.

    thanks

    Jim



    "Arkady Frenkel" <> wrote in message
    news:...
    > Jim maybe ask ( I believe you have their e-mail ) that from
    > open source WPA_Supplicant program guys , btw which one do you use ?
    > Arkady
    >
    > "Jim Howard" <> wrote in message
    > news:uPIIIu$...
    >> Howdy,
    >>
    >> I am writing an 802.1x wireless client program that will (I hope) support
    >> authentication using PEAP/MSCHAPV2 authentication. I have a question, but
    >> first please let me tell you where I am, then I will state my question:
    >>
    >> I have a complete phase 1 of PEAP and have a working TLS tunnel. Through
    >> this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight byte
    >> server challenge.
    >>
    >> I then construct the 49 byte client response per the MSCHAP
    >> specficiation. I think my basic crypto code is correct, because when I
    >> run the test vectors that are included with the open source
    >> WPA_Supplicant program I get the same results.
    >>
    >> When I send me response the servers always respond with EAP-Failure. The
    >> open source Hostapd server complains about a bad TLS mac.
    >>
    >> When I use Ethereal to compare what I send with what Windows Zero Conf
    >> (WZC) AND WPA_Supplicant send there are noticable differences as follows:
    >>
    >> 1) WZC sends one EAP packet containing one TLS application data packet
    >> with a byte payload.
    >> 2) WPA_Supplicant sends one EAP packet which contains two TLS
    >> application data packets, one 38 bytes long, the second being 48 bytes
    >> long.
    >> 3) My client sends one EAP packet with one TLS application data packet
    >> with a 66 byte payload which contains the 49 byte CHAP response packet
    >> (RFC 2759, para 4).
    >>
    >> My question is this:
    >>
    >> The MSCHAP response to the server challenge is the 49 byte structure
    >> defined in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant
    >> respond to the MSCHAPV2 server challenge message with an initial TLS
    >> Applciation data packet that is smaller than the 49 byte client response
    >> message?
    >>
    >> Jim Howard
    >> jim [at] grayraven [dot] com
    >>
    >>

    >
    >
    Jim Howard, Jun 29, 2005
    #3
  4. Jim I can only advice to check open source ( linux ) how it works with
    RADIUS
    Arkady

    "Jim Howard" <> wrote in message
    news:...
    > I've posted several questions on the hostapd/wpa_supplicant mailing list,
    > but never get an answer.
    >
    > I figured since MSCHAP is a Microsoft protocol, someone on the Ms
    > newsgroups might be familar with implementing this protocol.
    >
    > I'm writing my own client for a special purpose application, and I use
    > windows zero conf and wpa_supplicant as role models.
    >
    > thanks
    >
    > Jim
    >
    >
    >
    > "Arkady Frenkel" <> wrote in message
    > news:...
    >> Jim maybe ask ( I believe you have their e-mail ) that from
    >> open source WPA_Supplicant program guys , btw which one do you use ?
    >> Arkady
    >>
    >> "Jim Howard" <> wrote in message
    >> news:uPIIIu$...
    >>> Howdy,
    >>>
    >>> I am writing an 802.1x wireless client program that will (I hope)
    >>> support authentication using PEAP/MSCHAPV2 authentication. I have a
    >>> question, but first please let me tell you where I am, then I will state
    >>> my question:
    >>>
    >>> I have a complete phase 1 of PEAP and have a working TLS tunnel.
    >>> Through this tunnel I receive what I'm pretty sure is the MSCHAPV2 eight
    >>> byte server challenge.
    >>>
    >>> I then construct the 49 byte client response per the MSCHAP
    >>> specficiation. I think my basic crypto code is correct, because when I
    >>> run the test vectors that are included with the open source
    >>> WPA_Supplicant program I get the same results.
    >>>
    >>> When I send me response the servers always respond with EAP-Failure.
    >>> The open source Hostapd server complains about a bad TLS mac.
    >>>
    >>> When I use Ethereal to compare what I send with what Windows Zero Conf
    >>> (WZC) AND WPA_Supplicant send there are noticable differences as
    >>> follows:
    >>>
    >>> 1) WZC sends one EAP packet containing one TLS application data packet
    >>> with a byte payload.
    >>> 2) WPA_Supplicant sends one EAP packet which contains two TLS
    >>> application data packets, one 38 bytes long, the second being 48 bytes
    >>> long.
    >>> 3) My client sends one EAP packet with one TLS application data packet
    >>> with a 66 byte payload which contains the 49 byte CHAP response packet
    >>> (RFC 2759, para 4).
    >>>
    >>> My question is this:
    >>>
    >>> The MSCHAP response to the server challenge is the 49 byte structure
    >>> defined in RFC 2759, para 4. Why then do both WZC and WPA_Supplicant
    >>> respond to the MSCHAPV2 server challenge message with an initial TLS
    >>> Applciation data packet that is smaller than the 49 byte client response
    >>> message?
    >>>
    >>> Jim Howard
    >>> jim [at] grayraven [dot] com
    >>>
    >>>

    >>
    >>

    >
    >
    Arkady Frenkel, Jul 1, 2005
    #4
  5. Jim Howard

    Jim Howard Guest

    "Arkady Frenkel" <> wrote in message
    news:...
    > Jim I can only advice to check open source ( linux ) how it works with
    > RADIUS
    > Arkady
    >


    Arkady, thanks. I am doing that.

    The core problem I have is that of the blind men and the elephant. While we
    have specs for each part of the process, EAP, PEAP, TLS, MSCHAP (V0,V1,V2),
    WPA, RADIUS and others, it's hard to find documentation that describes
    exactly how all these different specs interact down where the rubber meets
    the road.

    I am making some progress. When (think positive!) I have the whole
    peap/mschapv2/wpa thing figured out I'll come back and answer my own
    question.

    But if I ever meet the programmer who coded Windows Zero Conf, I'd buy beer
    for as long as he or she would talk about implementation details!


    Jim
    Jim Howard, Jul 1, 2005
    #5
  6. Some details of WZC you can take from Windows CE , look at Platform Builder
    source directories DRIVERS\NETSAMP\WZCTOOL and DRIVERS\NETUI for that too.
    About beer , I have some doubts :) because they sign NDA
    Arkady

    "Jim Howard" <> wrote in message
    news:...
    >
    > "Arkady Frenkel" <> wrote in message
    > news:...
    >> Jim I can only advice to check open source ( linux ) how it works with
    >> RADIUS
    >> Arkady
    >>

    >
    > Arkady, thanks. I am doing that.
    >
    > The core problem I have is that of the blind men and the elephant. While
    > we have specs for each part of the process, EAP, PEAP, TLS, MSCHAP
    > (V0,V1,V2), WPA, RADIUS and others, it's hard to find documentation that
    > describes exactly how all these different specs interact down where the
    > rubber meets the road.
    >
    > I am making some progress. When (think positive!) I have the whole
    > peap/mschapv2/wpa thing figured out I'll come back and answer my own
    > question.
    >
    > But if I ever meet the programmer who coded Windows Zero Conf, I'd buy
    > beer for as long as he or she would talk about implementation details!
    >
    >
    > Jim
    >
    Arkady Frenkel, Jul 2, 2005
    #6
  7. Forgot to mention , that WPA2 enhancements issued after XP SP2 ( the same
    time CE 5 ) so I'm afraid that you'll not see them in PB but WEP/WPA do have
    shown there
    Arkady

    "Arkady Frenkel" <> wrote in message
    news:...
    > Some details of WZC you can take from Windows CE , look at Platform
    > Builder source directories DRIVERS\NETSAMP\WZCTOOL and DRIVERS\NETUI for
    > that too.
    > About beer , I have some doubts :) because they sign NDA
    > Arkady
    >
    > "Jim Howard" <> wrote in message
    > news:...
    >>
    >> "Arkady Frenkel" <> wrote in message
    >> news:...
    >>> Jim I can only advice to check open source ( linux ) how it works with
    >>> RADIUS
    >>> Arkady
    >>>

    >>
    >> Arkady, thanks. I am doing that.
    >>
    >> The core problem I have is that of the blind men and the elephant. While
    >> we have specs for each part of the process, EAP, PEAP, TLS, MSCHAP
    >> (V0,V1,V2), WPA, RADIUS and others, it's hard to find documentation that
    >> describes exactly how all these different specs interact down where the
    >> rubber meets the road.
    >>
    >> I am making some progress. When (think positive!) I have the whole
    >> peap/mschapv2/wpa thing figured out I'll come back and answer my own
    >> question.
    >>
    >> But if I ever meet the programmer who coded Windows Zero Conf, I'd buy
    >> beer for as long as he or she would talk about implementation details!
    >>
    >>
    >> Jim
    >>

    >
    >
    Arkady Frenkel, Jul 2, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. me

    PEAP/MSCHAPV2 need server certificate ??

    me, Aug 31, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    3,656
    Jerry Peterson[MSFT]
    Sep 1, 2005
  2. Ernie

    Wireless Bridge Supporting PEAP-MSCHAPv2

    Ernie, Sep 29, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    627
    Ernie
    Sep 29, 2005
  3. =?Utf-8?B?a3JhYmVy?=

    PEAP-MSChapV2 only administrators stay connected

    =?Utf-8?B?a3JhYmVy?=, Feb 28, 2006, in forum: Wireless Networking
    Replies:
    4
    Views:
    1,158
    =?Utf-8?B?YmVhdG5paw==?=
    May 22, 2006
  4. =?Utf-8?B?Sm9obg==?=

    Wireless PEAP with MSCHAPv2

    =?Utf-8?B?Sm9obg==?=, Mar 17, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    539
    =?Utf-8?B?Sm9obg==?=
    Mar 17, 2006
  5. =?Utf-8?B?Um9hZHlSdW5uZXI=?=

    GPO to push Wireless Settings to Clients - PEAP-MSCHAPv2 and Auto

    =?Utf-8?B?Um9hZHlSdW5uZXI=?=, Jan 30, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,068
    =?Utf-8?B?Um9hZHlSdW5uZXI=?=
    Jan 30, 2007
Loading...

Share This Page