none
NAP SoH Request RRS feed

  • Question

  • Hi,

    I am developing a RADIUS server and want to be able to parse SoH lists sent from the client
    ("Enable Quarantine checks" is checked and NAP agent is started on the client).
    To Request SoH list I am sending the following EAP-Request within the established PEAP tunnel.
    The bytes are in network order: 

    <<1, X, 0, 24, 254, 0, 1, 55, 0, 0, 0, 33, 128, 7, 0, 8, 0, 0, 1, 55, 0, 2, 0 ,0>>

    Where
    <<1, X, 0, 24, 254>> is the EAP Header (254 = SOH Extension Method), <<0, 1, 55, 0, 0, 0, 33>> is the SOH EAP Extension Method, <<128, 7, 0, 8, 0, 0, 1, 55>> is the Vendor Specific TLV and where <<0, 2, 0, 0>>  is the SOH-Request. (http://msdn.microsoft.com/en-us/library/aa506211.aspx)


    But I'm getting back a NAK.

    The svchost_RASTLS logfile contains the following values:
    ....
    [2680] 04-29 09:20:10:300: Negotiation successful
    [2680] 04-29 09:20:10:300: PeapGetTunnelProperties
    [2680] 04-29 09:20:10:300: Successfully negotiated TLS with following parametersdwProtocol = 0x80, Cipher= 0x6611, CipherStrength=0x80, Hash=0x8004
    [2680] 04-29 09:20:10:300: PeapGetTunnelProperties done
    [2680] 04-29 09:20:10:300: PEAP_STATE_FAST_ROAMING_IDENTITY_REQUEST
    [2680] 04-29 09:20:10:300: PeapClientDecryptTunnelData
    [2680] 04-29 09:20:10:300: IsDuplicatePacket
    [2680] 04-29 09:20:10:300: PeapDecryptTunnelData dwSizeofData = 37, pData = 0x540c676
    [2680] 04-29 09:20:10:300: Blob length 37
    [2680] 04-29 09:20:10:300: PeapDecryptTunnelData completed with status 0x0
    [2680] 04-29 09:20:10:300: IsMsEapTlvPacket
    [2680] 04-29 09:20:10:300: IsEapTLVInsidePEAP
    [2680] 04-29 09:20:10:300: PeapEncryptTunnelData
    [2680] 04-29 09:20:10:300: Blob length 53
    [2680] 04-29 09:20:10:300: PeapEncryptTunnelData completed with status 0x0
    [2680] 04-29 09:20:10:300: EapPeapCMakeMessage done
    [2680] 04-29 09:20:10:300: EapPeapMakeMessage done
    [2680] 04-29 09:20:10:320: EapPeapMakeMessage
    [2680] 04-29 09:20:10:320: EapPeapCMakeMessage, flags(0x500)
    [2680] 04-29 09:20:10:320: Cloned PPP_EAP_PACKET packet
    [2680] 04-29 09:20:10:320: PEAP: PEAP_STATE_IDENTITY_RESPONSE_SENT
    [2680] 04-29 09:20:10:320: PeapClientDecryptTunnelData
    [2680] 04-29 09:20:10:320: IsDuplicatePacket
    [2680] 04-29 09:20:10:320: PeapDecryptTunnelData dwSizeofData = 53, pData = 0x541ce8e
    [2680] 04-29 09:20:10:320: Blob length 53
    [2680] 04-29 09:20:10:320: PeapDecryptTunnelData completed with status 0x0
    [2680] 04-29 09:20:10:320: IsMsEapTlvPacket
    [2680] 04-29 09:20:10:320: IsEapTLVInsidePEAP
    [2680] 04-29 09:20:10:320: NAK inner method
    [2680] 04-29 09:20:10:320: PeapEncryptTunnelData
    [2680] 04-29 09:20:10:320: Blob length 37
    [2680] 04-29 09:20:10:320: PeapEncryptTunnelData completed with status 0x0
    [2680] 04-29 09:20:10:320: EapPeapCMakeMessage done
    [2680] 04-29 09:20:10:320: EapPeapMakeMessage done
    [2680] 04-29 09:20:11:492: EapPeapEnd
    [2680] 04-29 09:20:11:492: EapTlsEnd
    [2680] 04-29 09:20:11:492: EapTlsEnd(contoso\user1)
    [2680] 04-29 09:20:11:512: EapPeapEnd done


    Could you point out what is wrong?

    Thanks in advance,

    Fuki



    Wednesday, April 30, 2008 7:20 AM

Answers

All replies

  •  

    Hi Fuki,

    Did you check out MS-PEAP protocol specification http://msdn.microsoft.com/en-us/library/cc209011.aspx ?

    Please note that there are two PEAP related specification on Microsoft site and I believe the one above may answer your questions.

    Please let us know.

    Thanks.

     

     

     

     

     

    Thursday, May 22, 2008 6:53 AM
  • Hi Calvin,

    Yes I checked the MS-PEAP protocol specification. According to the specification (section 4.2.1) the client sent NAK if he doesn't support SOH processing, but actually the vista client is configured to process the SOH-Request ( "Enable Quarantine checks" is checked and NAP agent is started).

    Is there something wrong with the SOH-request?

    Thanks in advance,
    Fuki
    Tuesday, May 27, 2008 9:05 AM
  • Maybe this works:

     

    FE 00 01 37 00 00 00 21 - 00 07 00 08 00 00 01 37 00 02 00 00

     

    I guess you can figure out the bits..

    Monday, June 2, 2008 10:18 PM
  •  

    Hi FukiUSP, thanks for your post regarding the [MS-WSH] protocol specification. We will review your question and update the forum once our investigation is complete. Thanks!

     

    Sebastian Canevari - MSFT

     

    Tuesday, June 3, 2008 8:00 PM
  •  

    Hi Fuki,

     

    I have been reading some documentation and I have a couple comments/questions/suggestions for you:

     

    1)            I understand that you’ve read MS-PEAP but I would like to understand if you have based your implementation on the following section:

     

     

    2.2.6.2 SoH EAP Extensions Method

     

    This method is an Expanded EAP < http://msdn.microsoft.com/en-us/library/cc232153.aspx > Type  (as specified in section 2.2.5 http://msdn.microsoft.com/en-us/library/cc238446.aspx

    ) with the following values for the fields:

     

     

    Type (1 byte): MUST be set to 254 as specified in [RFC3748] < http://go.microsoft.com/fwlink/?LinkId=90444 > section 5.7.

     

    Vendor_Id (3 bytes): A 3-byte unsigned integer that MUST be set to 0x137.

     

    Vendor_Type (4 bytes): A 4-byte unsigned integer that MUST be set to 0x21.

     

    Vendor data (variable): This contains either a SoH Request TLV < http://msdn.microsoft.com/en-us/library/cc238451.aspx > or a SoH TLV (section 2.2.6.2.2) < http://msdn.microsoft.com/en-us/library/cc238452.aspx >.

     

    SoH Request TLV MUST be present only in an EAP request while SoH TLV MUST be present only in an EAP response message.

     

     

    2)            If this does not help or it helps but you still have issues, please understand that it is difficult from the RASTLS log file alone to determine what is causing the NAK. It may be useful to also get the EAPPOL log file.

    This is the way to enable it: “netsh ras set tracing eapol enabled”

     

    And you can find further information about it here: http://technet2.microsoft.com/windowsserver/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true

     

     

    Please let me know how you want to proceed.

     

    Thanks!

     

    SEBASTIAN CANEVARI - MSFT

    • Proposed as answer by KeithHa Wednesday, June 25, 2008 11:32 PM
    • Marked as answer by KeithHa Wednesday, August 13, 2008 11:23 PM
    Tuesday, June 17, 2008 7:24 PM