EAP-TLS Machine Authentication problems - Resolved
Michael Olson
olson at irinim.net
Sat Jan 19 04:13:42 CET 2008
Found the problem... and ummm... I'm really ashamed to admit this one.
I had the CA root certificate in the users trusted root store, moved it
over the machine trusted root store and all is well.
Thank you for enduring my duh moment.
-- Mike Olson
Michael Olson wrote:
> I loaded the computer certificate via the MMC Certificates module,
> into the Local Machine, Personal store. When there isn't one in
> there I get a can't find a certificate error in widows when trying
> to connect and it never tries to do EAP. Also, looking at the user
> log and the computer log, they both get the "TLS_accept:error in
> SSLv3 read client certificate A" at that stage.
>
> Looking at User cert request ID #52 and Computer cert request ID #40
> (Where the "SSLv3 read client certificate A" error occurs) they are
> pretty much identical. The next messages in the sequence (#53/#41)
> are also almost identical (the freeradius reply is identical right down
> to the EAP-Message blobs in the response). The message after that
> is where things appear to go wrong, in User #54, a ton of EAP data
> comes in from the client, the client cert details show up, and
> authentication seems to be wrapping up; but in Computer #42 barely
> anything appears in the EAP blobs and the process appears to start
> cycling over again.
>
> Thanks
>
> -- Mike Olson
>
>
> tnt at kalik.co.yu wrote:
>
>> machine: TLS_accept:error in SSLv3 read client certificate A
>> user: (other): SSL negotiation finished successfully
>>
>> There doesn't seem to be a machine certificate in the certificate store.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>>
>> Dana 18/1/2008, "Michael Olson" <olson at irinim.net> piše:
>>
>>
>>
>>> I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using
>>> machine
>>> authentication. I set up FreeRADIUS following the guide at
>>> http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS
>>> and I'm using
>>> OpenSSL to generate the cetificates.
>>>
>>> I can authenticate using user certificates fine, so I'm pretty sure
>>> all the
>>> Certificates & CA setup is right on the RADIUS server certificate, User
>>> certificate, and the Root Certificate. That leaves the Computer
>>> Certificate.
>>>
>>> I generated the computer certificate to have the common name be the
>>> machine
>>> name (I've tried it plain and FQDN) and I've put the FQDN is the
>>> altSubjectName
>>> field as well. It has the same usage extensions as the User
>>> certificates.
>>> (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to
>>> Computer Only (2), and it trys to authenticate which suggests that the
>>> workstation is okay with the certificate.
>>>
>>> Computer Certificate details:
>>> http://www.cs.odu.edu/~olson/eap/computer.crt.txt
>>>
>>> Other than that I can't think of where to look for a problem.
>>> Comparing logs
>>> between user and computer authentication I can see where it starts
>>> differing
>>> but I can't find anything I can interpret as to why. Nothing seems
>>> to fail for
>>> the computer, it just cycles endlessly.
>>>
>>> Successful User Authentication Log:
>>> http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
>>>
>>> Failed Computer Authentication Log:
>>> http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
>>>
>>> I also tossed out the windows tracing logs for both user and
>>> computer auth
>>> and anything else that seemed useful in
>>> http://www.cs.odu.edu/~olson/eap/
>>>
>>> Can anybody give me a pointer on where to look for problems?
>>>
>>> Thanks
>>>
>>> -- Mike Olson
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>>
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>
>
More information about the Freeradius-Users
mailing list