none
Windows CE 6.0: Server validation during PEAP WiFi connection RRS feed

  • Question

  • Hello,

    We are using a WinCE 6.0 image, in which we have a network which we connect to with WPA2 authentication, AES encryption and PEAP protocol. The connection is well achieved either with a server validation with a proper certificate, or without server validation.

    The strange thing is that after a successful connection (say without server validation), we are able to reconnect to the network with server validation using a wrong certificate or even without using a certificate at all. That happens only if we were connected to the network prior the attempt to connect to it again. After restart, however, the server validation functions properly and the connection cannot be established due to authentication failure.

    As we would not like to allow connection under the above scenario (without being able to restart), we are struggling to understand why this is happening.

    After sniffing the transmission between the router and the RADIUS server using wire shark followed by a deep web search, we believe that this is happening because of a caching mechanism that remembers the previous session ID. This session ID is sent at the beginning of the connection and is used to skip the 4-steps handshake procedure between the router and the RADIUS server. This basically means that the server validation is not taking place at all. Here are some links explaining this issue:

    https://sites.google.com/site/amitsciscozone/home/switching/peap---protected-eap-protocol

    https://sites.google.com/site/amitsciscozone/home/security/ssl-connection-setup

    https://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077

    Up to this point, we couldn't find any registry key/value that can be configured so we disable this caching.

    Because we do not have the eaptls.dll source code (which is in charge of this connection as far as we understand), we are basically searching our way in the darkness.

    Can anyone assist us on this matter?

    Thanks,

    Amitai




    Monday, July 24, 2017 7:13 AM