Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS accept client certificate failed #24

Open
Lexus89 opened this issue Aug 10, 2018 · 4 comments
Open

TLS accept client certificate failed #24

Lexus89 opened this issue Aug 10, 2018 · 4 comments
Labels
question

Comments

@Lexus89
Copy link

Lexus89 commented Aug 10, 2018

I have been testing the functionality lately and it definately has improved alot!

When reading the wiki i saw a function that was not mentioned in the default hostapd.conf provided with the mana functionality (mana_eaptls=1). Creating the following wifi profile on my android device (8.0.0) still results in failed authentication.

  • Using TLS
  • Do NOT validate server certificate
  • Do NOT provide a client certificate
@singe
Copy link
Contributor

singe commented Aug 10, 2018 via email

@Lexus89
Copy link
Author

Lexus89 commented Aug 10, 2018
edited
Loading

Yeah weird enough my android wifi profile setup let's me connect without providing a client certificate.. I checked the logs and hostapd receives my Identity (hacker) so android seems to accept this. Haven't tested it with a real client cert yet though whether a MITM will work.

wlan0: STA d4:38:9c:60:0f:18 IEEE 802.1X: received EAP packet (code=2 id=204 len=11) from STA: EAP Response-Identity (1) IEEE 802.1X: d4:38:9c:60:0f:18 BE_AUTH entering state RESPONSE EAP: EAP entering state RECEIVED EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=204 respMethod=1 respVendor=0 respVendorMethod=0 EAP: EAP entering state INTEGRITY_CHECK EAP: EAP entering state METHOD_RESPONSE EAP-Identity: Peer identity - hexdump_ascii(len=6): 68 61 63 6b 65 72 hacker EAP: EAP entering state SELECT_ACTION MANA EAP Identity Phase 0: hacker EAP: getDecision: another method available -> CONTINUE EAP: EAP entering state PROPOSE_METHOD EAP: getNextMethod: vendor 0 type 25 wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: EAP entering state METHOD_REQUEST EAP: building EAP-Request: Identifier 205 EAP-PEAP: START -> PHASE1 EAP: EAP entering state SEND_REQUEST EAP: EAP entering state IDLE

@singe
Copy link
Contributor

singe commented Aug 21, 2018

Your device is trying to connect with PEAP. I've tried, but have been unable to get hostapd to create a network that advertises itself as only EAP-TLS, even with the following directive:

nai_realm=0,MANA,12[5:6]

Which should advertise the network as EAP-TLS, my iOS and macOS devices will still try PEAP.

Also, hostapd.eap_user let's you configure the EAP modes accepted, so by default, hostapd networks will negotiate the EAP type based on what you configure in there, and most device default to PEAP if it's available. Which means, at least on iOS you need a MDM profile to configure EAP-TLS, and on macOS you need to config the network explicitly.

@singe singe added the question label Aug 21, 2018
@Lexus89
Copy link
Author

Lexus89 commented Aug 21, 2018

Thanks singe! I'm going to play with this abit more.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@singe @Lexus89