Re: PEAP TLV TYpe 8 and Fast Reconnect

---

• From: "Bernard V. Mendis" <bmendis@xxxxxxxxxx>
• Date: Wed, 6 Jul 2005 07:31:46 +1100

---

Hi Wei Zheng,

Here is the server side RASTLS log - looks like the server waits for the
client to respond but client has silently discarded:

[3700] 07:18:40:097: RasEapGetInfo
[3700] 07:18:40:097: EapPeapBegin
[3700] 07:18:40:097: PeapReadUserData
[3700] 07:18:40:097:
[3700] 07:18:40:097: EapTlsBegin()
[3700] 07:18:40:097: SetupMachineChangeNotification
[3700] 07:18:40:097: State change to Initial
[3700] 07:18:40:097: EapTlsBegin: Detected PEAP authentication
[3700] 07:18:40:097: MaxTLSMessageLength is now 16384
[3700] 07:18:40:097: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[3700] 07:18:40:097: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[3700] 07:18:40:097: The root cert will not be checked for revocation
[3700] 07:18:40:097: The cert will be checked for revocation
[3700] 07:18:40:097: EapPeapBegin done
[3700] 07:18:40:097: EapPeapMakeMessage
[3700] 07:18:40:097: EapPeapSMakeMessage
[3700] 07:18:40:097: PEAP:PEAP_STATE_INITIAL
[3700] 07:18:40:097: EapTlsSMakeMessage
[3700] 07:18:40:097: EapTlsReset
[3700] 07:18:40:097: State change to Initial
[3700] 07:18:40:097: GetCredentials
[3700] 07:18:40:097: Flag is Server and Store is local Machine
[3700] 07:18:40:097: GetCachedCredentials Flags = 0x4061
[3700] 07:18:40:097: GetCachedCredentials: Using Cached Credentials
[3700] 07:18:40:097: GetCachedCredentials: Hash of the cert in the cache is

7 A C 4 A 0 7 1 1 5 2 A 9 F D 2 A 4 F 2 1 A F D 9 6
3 8 5 4 8 4 | z . . q . * . . . . . . . 8 T . |

2 4 E C 6 8 B C 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | $ . h . . . . . . . . . . . . . |
[3700] 07:18:40:097: BuildPacket
[3700] 07:18:40:097: << Sending Request (Code: 1) packet: Id: 3, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[3700] 07:18:40:097: State change to SentStart
[3700] 07:18:40:097: EapPeapSMakeMessage done
[3700] 07:18:40:097: EapPeapMakeMessage done
[1752] 07:18:41:035: EapPeapMakeMessage
[1752] 07:18:41:035: EapPeapSMakeMessage
[1752] 07:18:41:035: PEAP:PEAP_STATE_TLS_INPROGRESS
[1752] 07:18:41:035: EapTlsSMakeMessage
[1752] 07:18:41:035: MakeReplyMessage
[1752] 07:18:41:035: Reallocating input TLS blob buffer
[1752] 07:18:41:035: SecurityContextFunction
[1752] 07:18:41:035: AcceptSecurityContext returned 0x90312
[1752] 07:18:41:035: State change to SentHello
[1752] 07:18:41:035: BuildPacket
[1752] 07:18:41:035: << Sending Request (Code: 1) packet: Id: 4, Length:
132, Type: 13, TLS blob length: 122. Flags: L
[1752] 07:18:41:035: EapPeapSMakeMessage done
[1752] 07:18:41:035: EapPeapMakeMessage done
[3700] 07:18:41:066: EapPeapMakeMessage
[3700] 07:18:41:066: EapPeapSMakeMessage
[3700] 07:18:41:066: PEAP:PEAP_STATE_TLS_INPROGRESS
[3700] 07:18:41:066: EapTlsSMakeMessage
[3700] 07:18:41:066: MakeReplyMessage
[3700] 07:18:41:066: SecurityContextFunction
[3700] 07:18:41:066: AcceptSecurityContext returned 0x0
[3700] 07:18:41:066: AuthenticateUser
[3700] 07:18:41:066: QueryContextAttributes failed and returned 0x8009030e
[3700] 07:18:41:066: Got no credentials from the client and executing PEAP.
This is a success for eaptls.
[3700] 07:18:41:066: CreateMPPEKeyAttributes
[3700] 07:18:41:066: State change to SentFinished
[3700] 07:18:41:066: Negotiation successful
[3700] 07:18:41:066: BuildPacket
[3700] 07:18:41:066: << Sending Success (Code: 3) packet: Id: 5, Length: 4,
Type: 0, TLS blob length: 0. Flags:
[3700] 07:18:41:066: AuthResultCode = (0), bCode = (3)
[3700] 07:18:41:066: PeapGetTunnelProperties
[3700] 07:18:41:066: Successfully negotiated TLS with following
parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80,
Hash=0x8003
[3700] 07:18:41:066: PeapGetTunnelProperties done
[3700] 07:18:41:066: GetTLSSessionCookie
[3700] 07:18:41:066: IsTLSSessionReconnect
[3700] 07:18:41:066: Session Reconnected.
[3700] 07:18:41:066: EapPeapSMakeMessage done
[3700] 07:18:41:066: EapPeapMakeMessage done
[3700] 07:18:41:081: PeapReadUserData
[3700] 07:18:41:081: EapPeapMakeMessage
[3700] 07:18:41:081: EapPeapSMakeMessage
[3700] 07:18:41:081: PEAP:PEAP_STATE_PEAPUPFRONT_FAST_RECONNECT
[3700] 07:18:41:081: Full authentication
[3700] 07:18:41:081: PeapEncryptTunnelData
[3700] 07:18:41:081: PeapEncryptTunnelData completed with status 0x0
[3700] 07:18:41:081: EapPeapSMakeMessage done
[3700] 07:18:41:081: EapPeapMakeMessage done
[1752] 07:18:41:097: EapPeapMakeMessage
[1752] 07:18:41:097: EapPeapSMakeMessage
[1752] 07:18:41:097: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
[1752] 07:18:41:097: PeapDecryptTunnelData dwSizeofData = 0x1c, pData =
0x18fc686
[1752] 07:18:41:097: PeapDecryptTunnelData completed with status 0x0
[1752] 07:18:41:097: PeapEncryptTunnelData
[1752] 07:18:41:097: PeapEncryptTunnelData completed with status 0x0
[1752] 07:18:41:097: EapPeapSMakeMessage done
[1752] 07:18:41:097: EapPeapMakeMessage done
[3700] 07:18:41:113: EapPeapMakeMessage
[3700] 07:18:41:113: EapPeapSMakeMessage
[3700] 07:18:41:113: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[3700] 07:18:41:113: PeapDecryptTunnelData dwSizeofData = 0x52, pData =
0x1903cbe
[3700] 07:18:41:113: PeapDecryptTunnelData completed with status 0x0
[3700] 07:18:41:113: PeapEncryptTunnelData
[3700] 07:18:41:113: PeapEncryptTunnelData completed with status 0x0
[3700] 07:18:41:113: EapPeapSMakeMessage done
[3700] 07:18:41:113: EapPeapMakeMessage done
[1752] 07:18:41:128: EapPeapMakeMessage
[1752] 07:18:41:128: EapPeapSMakeMessage
[1752] 07:18:41:128: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[1752] 07:18:41:128: PeapDecryptTunnelData dwSizeofData = 0x17, pData =
0x1946196
[1752] 07:18:41:128: PeapDecryptTunnelData completed with status 0x0
[1752] 07:18:41:128: PeapSetTypeUserAttributes
[1752] 07:18:41:128: EapPeapSMakeMessage done
[1752] 07:18:41:128: EapPeapMakeMessage done
[1752] 07:18:41:144: EapPeapMakeMessage
[1752] 07:18:41:144: EapPeapSMakeMessage
[1752] 07:18:41:144: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[1752] 07:18:41:144: CreatePEAPTLVPacket
[1752] 07:18:41:144: PeapEncryptTunnelData
[1752] 07:18:41:144: PeapEncryptTunnelData completed with status 0x0
[1752] 07:18:41:144: EapPeapSMakeMessage done
[1752] 07:18:41:144: EapPeapMakeMessage done
[3700] 07:18:41:160: EapPeapMakeMessage
[3700] 07:18:41:160: EapPeapSMakeMessage
[3700] 07:18:41:160: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[3700] 07:18:41:160: PeapDecryptTunnelData dwSizeofData = 0x20, pData =
0x18fc686
[3700] 07:18:41:160: PeapDecryptTunnelData completed with status 0x0
[3700] 07:18:41:160: GetPEAPTLVStatusMessageValue
[3700] 07:18:41:160: PeapAddContextAttributes
[3700] 07:18:41:160: RasAuthAttributeConcat
[3700] 07:18:41:160: EapPeapSMakeMessage done
[3700] 07:18:41:160: EapPeapMakeMessage done
[3700] 07:18:41:160: EapPeapEnd
[3700] 07:18:41:160: EapTlsEnd
[3700] 07:18:41:160: EapTlsEnd()
[3700] 07:18:41:160: EapPeapEnd done
[1752] 07:19:37:612: EapPeapBegin
[1752] 07:19:37:612: PeapReadUserData
[1752] 07:19:37:612:
[1752] 07:19:37:612: EapTlsBegin()
[1752] 07:19:37:612: SetupMachineChangeNotification
[1752] 07:19:37:612: State change to Initial
[1752] 07:19:37:612: EapTlsBegin: Detected PEAP authentication
[1752] 07:19:37:612: MaxTLSMessageLength is now 16384
[1752] 07:19:37:612: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1752] 07:19:37:612: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1752] 07:19:37:612: The root cert will not be checked for revocation
[1752] 07:19:37:612: The cert will be checked for revocation
[1752] 07:19:37:612: EapPeapBegin done
[1752] 07:19:37:612: EapPeapMakeMessage
[1752] 07:19:37:612: EapPeapSMakeMessage
[1752] 07:19:37:612: PEAP:PEAP_STATE_INITIAL
[1752] 07:19:37:612: EapTlsSMakeMessage
[1752] 07:19:37:612: EapTlsReset
[1752] 07:19:37:612: State change to Initial
[1752] 07:19:37:612: GetCredentials
[1752] 07:19:37:612: Flag is Server and Store is local Machine
[1752] 07:19:37:612: GetCachedCredentials Flags = 0x4061
[1752] 07:19:37:612: GetCachedCredentials: Using Cached Credentials
[1752] 07:19:37:612: GetCachedCredentials: Hash of the cert in the cache is

7 A C 4 A 0 7 1 1 5 2 A 9 F D 2 A 4 F 2 1 A F D 9 6
3 8 5 4 8 4 | z . . q . * . . . . . . . 8 T . |

2 4 E C 6 8 B C 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | $ . h . . . . . . . . . . . . . |
[1752] 07:19:37:612: BuildPacket
[1752] 07:19:37:612: << Sending Request (Code: 1) packet: Id: 13, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[1752] 07:19:37:612: State change to SentStart
[1752] 07:19:37:612: EapPeapSMakeMessage done
[1752] 07:19:37:612: EapPeapMakeMessage done
[3372] 07:19:38:174: EapPeapMakeMessage
[3372] 07:19:38:174: EapPeapSMakeMessage
[3372] 07:19:38:174: PEAP:PEAP_STATE_TLS_INPROGRESS
[3372] 07:19:38:174: EapTlsSMakeMessage
[3372] 07:19:38:174: MakeReplyMessage
[3372] 07:19:38:174: Reallocating input TLS blob buffer
[3372] 07:19:38:174: SecurityContextFunction
[3372] 07:19:38:174: AcceptSecurityContext returned 0x90312
[3372] 07:19:38:174: State change to SentHello
[3372] 07:19:38:174: BuildPacket
[3372] 07:19:38:174: << Sending Request (Code: 1) packet: Id: 14, Length:
132, Type: 13, TLS blob length: 122. Flags: L
[3372] 07:19:38:174: EapPeapSMakeMessage done
[3372] 07:19:38:174: EapPeapMakeMessage done
[1752] 07:19:38:205: EapPeapMakeMessage
[1752] 07:19:38:205: EapPeapSMakeMessage
[1752] 07:19:38:205: PEAP:PEAP_STATE_TLS_INPROGRESS
[1752] 07:19:38:205: EapTlsSMakeMessage
[1752] 07:19:38:205: MakeReplyMessage
[1752] 07:19:38:205: SecurityContextFunction
[1752] 07:19:38:205: AcceptSecurityContext returned 0x0
[1752] 07:19:38:205: AuthenticateUser
[1752] 07:19:38:205: QueryContextAttributes failed and returned 0x8009030e
[1752] 07:19:38:205: Got no credentials from the client and executing PEAP.
This is a success for eaptls.
[1752] 07:19:38:205: CreateMPPEKeyAttributes
[1752] 07:19:38:205: State change to SentFinished
[1752] 07:19:38:205: Negotiation successful
[1752] 07:19:38:205: BuildPacket
[1752] 07:19:38:205: << Sending Success (Code: 3) packet: Id: 15, Length: 4,
Type: 0, TLS blob length: 0. Flags:
[1752] 07:19:38:205: AuthResultCode = (0), bCode = (3)
[1752] 07:19:38:205: PeapGetTunnelProperties
[1752] 07:19:38:205: Successfully negotiated TLS with following
parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80,
Hash=0x8003
[1752] 07:19:38:205: PeapGetTunnelProperties done
[1752] 07:19:38:205: GetTLSSessionCookie
[1752] 07:19:38:205: IsTLSSessionReconnect
[1752] 07:19:38:205: Session Reconnected.
[1752] 07:19:38:205: EapPeapSMakeMessage done
[1752] 07:19:38:205: EapPeapMakeMessage done
[1752] 07:19:38:205: PeapReadUserData
[1752] 07:19:38:205: EapPeapMakeMessage
[1752] 07:19:38:205: EapPeapSMakeMessage
[1752] 07:19:38:205: PEAP:PEAP_STATE_PEAPUPFRONT_FAST_RECONNECT
[1752] 07:19:38:205: GetTLSSessionCookie
[1752] 07:19:38:205: IsTLSSessionReconnect
[1752] 07:19:38:205: Session Reconnected.
[1752] 07:19:38:205: TLS session fast reconnected
[1752] 07:19:38:205: PeapCheckCookie
[1752] 07:19:38:205: EapPeapSMakeMessage done
[1752] 07:19:38:205: EapPeapMakeMessage done
[1752] 07:19:38:221: EapPeapMakeMessage
[1752] 07:19:38:221: EapPeapSMakeMessage
[1752] 07:19:38:221: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[1752] 07:19:38:221: CreatePEAPTLVPacket
[1752] 07:19:38:221: PeapEncryptTunnelData
[1752] 07:19:38:221: PeapEncryptTunnelData completed with status 0x0
[1752] 07:19:38:221: EapPeapSMakeMessage done
[1752] 07:19:38:221: EapPeapMakeMessage done
[3372] 07:20:08:283: EapPeapBegin
[3372] 07:20:08:283: PeapReadUserData
[3372] 07:20:08:283:
[3372] 07:20:08:283: EapTlsBegin()
[3372] 07:20:08:283: SetupMachineChangeNotification
[3372] 07:20:08:283: State change to Initial
[3372] 07:20:08:283: EapTlsBegin: Detected PEAP authentication
[3372] 07:20:08:283: MaxTLSMessageLength is now 16384
[3372] 07:20:08:283: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[3372] 07:20:08:283: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[3372] 07:20:08:283: The root cert will not be checked for revocation
[3372] 07:20:08:283: The cert will be checked for revocation
[3372] 07:20:08:283: EapPeapBegin done
[3372] 07:20:08:283: EapPeapMakeMessage
[3372] 07:20:08:283: EapPeapSMakeMessage
[3372] 07:20:08:283: PEAP:PEAP_STATE_INITIAL
[3372] 07:20:08:283: EapTlsSMakeMessage
[3372] 07:20:08:283: EapTlsReset
[3372] 07:20:08:283: State change to Initial
[3372] 07:20:08:283: GetCredentials
[3372] 07:20:08:283: Flag is Server and Store is local Machine
[3372] 07:20:08:283: GetCachedCredentials Flags = 0x4061
[3372] 07:20:08:283: GetCachedCredentials: Using Cached Credentials
[3372] 07:20:08:283: GetCachedCredentials: Hash of the cert in the cache is

7 A C 4 A 0 7 1 1 5 2 A 9 F D 2 A 4 F 2 1 A F D 9 6
3 8 5 4 8 4 | z . . q . * . . . . . . . 8 T . |

2 4 E C 6 8 B C 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 | $ . h . . . . . . . . . . . . . |
[3372] 07:20:08:283: BuildPacket
[3372] 07:20:08:283: << Sending Request (Code: 1) packet: Id: 20, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[3372] 07:20:08:283: State change to SentStart
[3372] 07:20:08:283: EapPeapSMakeMessage done
[3372] 07:20:08:283: EapPeapMakeMessage done
[1752] 07:20:08:892: EapPeapMakeMessage
[1752] 07:20:08:892: EapPeapSMakeMessage
[1752] 07:20:08:892: PEAP:PEAP_STATE_TLS_INPROGRESS
[1752] 07:20:08:892: EapTlsSMakeMessage
[1752] 07:20:08:892: MakeReplyMessage
[1752] 07:20:08:892: Reallocating input TLS blob buffer
[1752] 07:20:08:892: SecurityContextFunction
[1752] 07:20:08:892: AcceptSecurityContext returned 0x90312
[1752] 07:20:08:892: State change to SentHello
[1752] 07:20:08:892: BuildPacket
[1752] 07:20:08:892: << Sending Request (Code: 1) packet: Id: 21, Length:
132, Type: 13, TLS blob length: 122. Flags: L
[1752] 07:20:08:892: EapPeapSMakeMessage done
[1752] 07:20:08:892: EapPeapMakeMessage done
[3372] 07:20:08:924: EapPeapMakeMessage
[3372] 07:20:08:924: EapPeapSMakeMessage
[3372] 07:20:08:924: PEAP:PEAP_STATE_TLS_INPROGRESS
[3372] 07:20:08:924: EapTlsSMakeMessage
[3372] 07:20:08:924: MakeReplyMessage
[3372] 07:20:08:924: SecurityContextFunction
[3372] 07:20:08:924: AcceptSecurityContext returned 0x0
[3372] 07:20:08:924: AuthenticateUser
[3372] 07:20:08:924: QueryContextAttributes failed and returned 0x8009030e
[3372] 07:20:08:924: Got no credentials from the client and executing PEAP.
This is a success for eaptls.
[3372] 07:20:08:924: CreateMPPEKeyAttributes
[3372] 07:20:08:924: State change to SentFinished
[3372] 07:20:08:924: Negotiation successful
[3372] 07:20:08:924: BuildPacket
[3372] 07:20:08:924: << Sending Success (Code: 3) packet: Id: 22, Length: 4,
Type: 0, TLS blob length: 0. Flags:
[3372] 07:20:08:924: AuthResultCode = (0), bCode = (3)
[3372] 07:20:08:924: PeapGetTunnelProperties
[3372] 07:20:08:924: Successfully negotiated TLS with following
parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80,
Hash=0x8003
[3372] 07:20:08:924: PeapGetTunnelProperties done
[3372] 07:20:08:924: GetTLSSessionCookie
[3372] 07:20:08:924: IsTLSSessionReconnect
[3372] 07:20:08:924: Session Reconnected.
[3372] 07:20:08:924: EapPeapSMakeMessage done
[3372] 07:20:08:924: EapPeapMakeMessage done
[3372] 07:20:08:924: PeapReadUserData
[3372] 07:20:08:924: EapPeapMakeMessage
[3372] 07:20:08:924: EapPeapSMakeMessage
[3372] 07:20:08:924: PEAP:PEAP_STATE_PEAPUPFRONT_FAST_RECONNECT
[3372] 07:20:08:924: GetTLSSessionCookie
[3372] 07:20:08:924: IsTLSSessionReconnect
[3372] 07:20:08:924: Session Reconnected.
[3372] 07:20:08:924: TLS session fast reconnected
[3372] 07:20:08:924: PeapCheckCookie
[3372] 07:20:08:924: EapPeapSMakeMessage done
[3372] 07:20:08:924: EapPeapMakeMessage done
[3372] 07:20:08:939: EapPeapMakeMessage
[3372] 07:20:08:939: EapPeapSMakeMessage
[3372] 07:20:08:939: PEAP:PEAP_STATE_WAIT_FOR_APPLICATION_TLV
[3372] 07:20:08:939: CreatePEAPTLVPacket
[3372] 07:20:08:939: PeapEncryptTunnelData
[3372] 07:20:08:939: PeapEncryptTunnelData completed with status 0x0
[3372] 07:20:08:939: EapPeapSMakeMessage done
[3372] 07:20:08:939: EapPeapMakeMessage done

Please let me know what you find as I'm sure it will be interesting.

Regards,

Bernard.


.

---

• Follow-Ups:
  • Re: PEAP TLV TYpe 8 and Fast Reconnect
    • From: Bernard V. Mendis

• References:
  • PEAP TLV TYpe 8 and Fast Reconnect
    • From: Bernard V. Mendis
  • Re: PEAP TLV TYpe 8 and Fast Reconnect
    • From: Wei Zheng [MSFT]

• Prev by Date: Re: Constantly reauthenticating wireless connection
• Next by Date: Re: Radius Installation
• Previous by thread: Re: PEAP TLV TYpe 8 and Fast Reconnect
• Next by thread: Re: PEAP TLV TYpe 8 and Fast Reconnect
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients ... Here are the rastls.log and raschap.log from the server. ... I'll enable client side tracing and send them. ... Type: 13, TLS blob length: 0. ... Flags: LM ... (microsoft.public.internet.radius) EAP-TLS problem ... the root cert is in the "Trusted root certs" store on both the IAS ... the IAS cert is in the "Local Computer" store and has the "Client ... Type: 13, TLS blob length: 0. ... Flags: S ... (microsoft.public.internet.radius) IAS authenticates using EAP-TLS but not PEAP-MSCHAPv2 ... with a Radius server. ... When I change the client and server profiles to reflect this I ... Type: 13, TLS blob length: 0. ... Flags: S ... (microsoft.public.internet.radius) Re: Peap Authentication fails after boot up (RASTLS LOG) ... So this is xp sp1 and doing peap-mschapV2, ... Length: 80, Type: 13, TLS blob length: 70. ... Flags: L ... (microsoft.public.internet.radius) PEAP & Win2k ... I am trying to setup PEAP authentication to a windows 2000 sp4 server using ... This setup is in a test lab. ... Type: 13, TLS blob length: 0. ... Flags: LM ... (microsoft.public.internet.radius)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet  > microsoft.public.internet.radius  > 2005-07