Problem with EAP/TLS and XP SP2

[Ben Walding]

On 11/8/05, Michael Griego <mgriego at utdallas.edu> wrote:
>
>
> Ben Walding wrote:
> > We've found in testing that the XP supplicant (with certain patches)
> > will read the certificate and send a User-Name that is constructed
> > from the certificate CN (host/ + cert CN); thus rendering the whole
> > "checking the CN process" fairly pointless for XP supplicants.
>
> This is only true when a certificate is used for machine authentication,
> not for user authentication.


Ahh, this explains a thing or two! We knew we'd seen behaviour where it sent
the machine name rather than the name of the certificate earlier in our
testing. But couldn't replicate it (since we had locked everything down to
machine auth by the final stages).

To get around the the problem stated above, all you have to do is create
> two instances of the EAP module. In cases where the User-Name attribute
> begins with "host/", just send those authentications to the second EAP
> module, and have the check_cert_cn parameter set to check for
> "host/%{User-Name}". This way you can still be assured of proper
> authorization.
>

We added a few lines into hints -

DEFAULT Prefix == "host/"
Hint = "Wireless-Workstation"

DEFAULT Prefix == "host\\"
Hint = "Wireless-Workstation"

DEFAULT Prefix == "\\"
Hint = "Wireless-PDA"

This resolved the issues we saw with prefixes and let us identify PDAs as
they authenticated into the system (not that we do anything with this piece
of information).


Cheers,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051109/aae9aa7e/attachment.html>