Re: EAP-TLS with windows CE


The problem authenticating seems to have come from this behaviour:
The AP was sending out an Identity Request every second, incrementing the
request ID each time. The CE device would get the request and prompt the
user for an ID as it should. The problem seems to be that while the dialog
was up and the user was entering their credentials, the AP would send X more
identity requests. When the user hit OK on the ID prompt, the packet sent was
a response to request 1, not request X+1.
I'm guessing the AP does not respond to what it considers stale responses,
so when it gets an 'incorrect' response ID, it never bothers to forward the
request to the identification server. This causes the prompt to popup again
at the device for the next queued request and the cycle continues.

I was wondering, does this sound like a known issue? Or could there be
something particular to this device. We haven't touched any of the eap code
with wince 5.0. Maybe we are missing an update?

Jon Hiley

"Paul G. Tobey [eMVP]" wrote:

It's used to decide if you're legal to be connected to the network, of
course. You're looked up in the user table, just as if you entered those
credentials at the login prompt for Windows Server 2003 on the server
machine. When it finds that you've entered the right login information, it
checks to see if that user is allowed to connect via wireless/EAP/whatever,
and, if so, tells the access point to allow you.

The certificate is *only* to identify the server *to the Windows CE device*.
The certificate is a public thing, not a secret. *Anyone* might have that
certificate, so merely having it in your certificate store only proves that
you know who the server is, not that you should be allowed to connect to the
network. When the server asks the Windows CE device to identify itself, the
Windows CE device, to avoid man-in-the-middle or other impersonation
problems, has to be able to verify that the system that's asking for a user
name and password is someone that you should be telling that information to.
If it didn't do that, I could easily steal your authentication information.
Once the Windows CE device is convinced that the server is someone that it
should be talking to, an encrypted connection is created based on the
certificate and both ends know that no one trapping the packets in the
middle can read them.

Paul T.

"hileyj" <hileyj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B162DAA7-0788-43D5-B0CF-064A9DF7A345@xxxxxxxxxxxxxxxx
Thanks for the quick response. That second paragraph you wrote makes
sense
with the little I had already known about TLS.
I'm still a little unclear about something, though. From my
understanding,
the conversation starts with a Eap Request/Identity from the AP to the
client. Windows CE then prompts the wireless user for the
UserName/DomainName. The client then responds with an EAP
response/Identity
to the AP which gets passed on to an authentication server (RADIUS or
otherwise). This response contains the username/domainName the wireless
user
entered in the prompt.

My question is, what exactly is this identity response used for at the
authentication server? I thought the authentication was provided by the
certificate information, so why is a user or machine name used in the
response/identity packet? The problem I'm having is this prompt keeps
reappearing, suggesting that something in the response/Identity is
incorrect.
Unfortunately, I can't give you more information about the actual EAP
message
exchange since I don't have access to the network where this is occurring.

Thanks again for your response,
Jon Hiley

"Paul G. Tobey [eMVP]" wrote:

What you want is the user name and password that the authentication
server
that your access point is directing the EAP packets to is expecting. It
has
nothing to do with the contents of the certificate at all. That will be
used by the device to verify that the server is who it says that it is
and
that it should be trusted, and to encrypt the data. The server that's
doing
the verification decides what users and passwords are need, though. If
it
doesn't work, I'd suspect that the problem is there.

No, there's no description anywhere that I've ever seen of how EAP-TLS
works
at all, let alone specifically on Windows CE. As I recall it, basically
what happens is that Windows CE calls up the access point. The AP looks
at
how it's configured and sees that EAP-TLS is set, so it creates a virtual
connection to the server with which it's supposed to communicate,
commonly a
RADIUS server, for the Windows CE device. The AP is configured with
suitable authentication information so that it can connect to the server
in
this way. The server sees that someone is trying to connect and requests
credentials, giving a list of ways that they can be provided, and some
certificate identification information. The Windows CE device looks at
the
server information and verifies that the server's certificate was issued
by
a trusted authority (this is why you might need to install a certificate
on
the Windows CE device, to trust an authority other than those standard
authorities). Via some back and forth, a secure connection is
established.
Once that's taken care of, Windows CE either asks you who you are or
looks
up the default credentials in the registry and sends them to the server
via
the negotiated protocol. If the server agrees that you are
authenticated,
it assigns you an IP address and tells the access point to allow you
access
to the entire network.

Paul T.

"hileyj" <hileyj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16B6792-29C7-400D-8E49-58913988C1A2@xxxxxxxxxxxxxxxx
Hi,

I was wondering how EAP-TLS authentication is performed with windows ce
5.0.
I have loaded the necessary private key and certificates (they work
with
other devices such as laptops) onto my device and they appear to be
going
to
the correct stores. When I go to connect to an EAP-TLS enabled
network, I
get a prompt for a User Name and Domain Name. What exactly is it
looking
for
here? The Active Directory user name that the certificate was issued
to?
Or
the subject name as on the certificate?
After entering the user name and the domain, the username dialog goes
away
but then authentication fails and it reappears. What are possible
causes
of
this authentication failure?

Also, is there a good description somewhere out there about how EAP-TLS
works with Windows CE5.0? I'd really like to be able to troubleshoot
these
types of problems...

Thanks,
Jon






.

Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • RE: Beginners Questions
    ... We do use Windows form on the presentation layer which is on ... terminal server and call web services on the business logic side. ... of using "proxy" authentication on SQL Server. ... > I have written an app with a Windows Forms UI that is deployed to clients ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: server authentication & ASP authentication
    ... on to the client workstation with an authorized Windows account. ... SQL Server with Windows authentication. ...
    (microsoft.public.sqlserver.security)
  • Re: ADFS Development Issues
    ... site to be automatically authenticated by our windows application so ... based on redirects and possibly uses forms-based authentication to collect ... web service proxies don't handle this type of thing ... the server based on how it needs to work. ...
    (microsoft.public.windows.server.active_directory)