Hi,
We have customers who insist on keeping the Fast Reconnect option enabled
for PEAP authentication. Our wireless terminal is running CE .NET 4.2, QFE
level 2004-Q3. On a warm/cold boot the terminal associates and connects
properly. In this case a full handshake conversation takes place. However if
the wireless terminal roams or suspends/resumes then it cannot connect
anymore.
QFE 030930_KB827824 confirms that PEAP Fast Reconnect is not supported in CE
.NET 4.2 and specifies in the "More Information" section that:
"The fix that is in this update does not add support for PEAP Fast Reconnect
to Windows CE .NET. The fix only enables PEAP authentication to continue
when the fast reconnection attempt is unsuccessful."
When the authentication fails the debug captured from our wireless device
shows that:
- PEAP phase 1: the session resumption is successful
- when phase 2 starts the PEAP server attempts to do fast reconnect (as a
result of the successful session resumption in phase 1)
- the peer receives the packet:
- EAP Request 0x01
- message ID 0x32 (for this particular case)
- PEAP version 0
- TLS version 1
- TLS packet content type 0x17 Application Data
- TLS data (encrypted)
- the peer decrypts the data and detects that the server attempts fast
reconnect (this is spelled out in the debug message)
- the peer builds a fail response
- however the response message ID is 0x04 whereas it is supposed to match
the request ID
- the response is transmitted
- the authenticator (i.e. access point) discards the fail response (see
below excerpt form RFC 3748)
- the PEAP server does not receive any response and the conversation fails
RFC 3748 (EAP) states in section 4.1:
"The authenticator is also responsible for discarding Response messages with
a non-matching Identifier value before acting on them in any way, including
passing them on to the backend authentication server for verification."
So apparently the peer although does attempt to continue the conversation it
fails to respond correctly as per EAP specs and the whole authentication
fails. I should mention that the server is Cisco Secure ACS v3.3 running on
a Windows 2003 Server box (although this detail should be irrelevant in this
case).
Any updates on this issue will be appreciated.
Thanks.
-Adrian
START DEBUG >>>>>>>>>
EOL: Supp RX Type=EAPOL_EAP_Packet
EAP: Supp RX packet 0x26 bytes:
0000 01 32 00 26 19 00 17 03-01 00 1B F9 E8 C0 1C 35 .2.&...........5
0010 CF 1F 5B E8 CB 51 71 20-2A 96 04 A3 87 87 20 E9 ..[..Qq *..... .
0020 79 2A FD 0C 74 6A - y*..tj
EAP: Supp RX Type=Request/Auth 19 Id=50
PEAP: CMakeMessage pRxPacket=64ef8ee Len=38 State=PEAP_STATE_TLS_INPROGRESS
EapTlsMakeMessage(swtest)>> Received Request (Code: 1) packet: Id: 50,
Length: 38, Type: 13, TLS blob length: 0. Flags:
EapTlsCMakeMessageNegotiation successful
PEAP: State PEAP_STATE_TLS_INPROGRESS --> PEAP_STATE_TLS_DONE
PeapGetTunnelProperties
PeapGetTunnelProperties done
PeapClientDecryptTunnelData
PeapDecryptTunnelData
PeapDecryptTunnelData completed with status 0x0
PEAP: Got AVP Status 1
PEAP: Server attempting fast reconnect - not supported, sending fail
response
PeapEncryptTunnelData
PeapEncryptTunnelData completed with status 0x0
EAP: Supp - Action: Send Response/Auth Id=4
EAP: Supp TX Type=Response/Auth 19 Id=4
EAP: Supp TX packet 0x26 bytes:
0000 02 04 00 26 19 00 17 03-01 00 1B57 E2 E0 C0 AA ...&.......W....
0010 3F 1D D9 72 9F 03 9B C7-69 5D 95 33 8E DF 8E 79 ?..r....i].3...y
0020 00 9B 0F AD F6 39 - .....9
EOL: Supp TX Type=EAPOL_EAP_Packet
<<<<<<<<<< END DEBUG