Windows XP PRO SP1 is running from cache information

Discussion in 'TinyPEAP Firmware' started by scaron, Apr 3, 2005.

  1. scaron

    scaron Network Guru Member

    This applied to a router running tinyPEAP RADIUS authentication.
    You need two accounts on your Windows XP box for this test: (you obviously need a tinyPEAP properly configured with at least one user account)

    To be on the safe side, disable Fast User Switching and the Family logon screen and reboot the computer.

    In the first Windows XP user account:
    a) download/install the tinyPEAP certificate
    b) configure the network including the credentials for the tinyPEAP user account
    c) verify wireless connectivity by browsing anything.
    d) LOG OFF this session: do NOT reboot or shutdown/restart

    Log on the second Windows XP user account:
    e) verify that you still have network connectivity
    f) verify that the tinyPEAP certificate is NOT installed
    g) verify that the wireless network does not have any credentials for the active connection
    h) open a command prompt and ping -t any host on your network other than the tinyPEAP device

    I let a ping running for 60 minutes, which is long enough for WPA/802.1x to cycle the keys a couple of times :)

    i) reboot the machine and log on as the second Windows XP user account
    j) verify that you need a certificate to access the wireless network

    Presumably, XP SP1 does not flush the network cache at the time an authenticated user logs off. I did not verify this with XP SP2.

    This also implies that, if this were fixed, there would be no network connectivity to machines on which nobody is logged on.

    Are there plans to support machine certificates in tinyPEAP ?
  2. nairb2128

    nairb2128 Network Guru Member

    Well, I suppose this is either a bug or Windows, or was done by design. I would assume it is by design, but the only way to be sure would be to ask a developer of Windows (anyone?). As for machine certificates, right now we have no plans for changing our certification management system.

  3. scaron

    scaron Network Guru Member

    I do not know the impact of adding machine certificates on your existing code. However, here are two real-life situations that you might want to add in your documentation:

    1) Domain users may not authenticate on a wireless system. A system may authenticate a user from cache information if the user has previously logged on the system and only with the credentials in effect then.

    2) In a Windows domain, users with roaming profile must first log on to establish connectivity with the acces point; upon authentication, the user will be told that the roaming profile is unavailble from the server (which is true until the WPA PEAP authentication is completed). The user must log off and then log back in, at which point the roaming profile is available because the link is already up and running from cache information.

    So, this is leveraging a bug in Windows XP to circumvent the limitation.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice