Re: EAP-TLS Machine Authentication problems - Resolved

[Michael Olson <olson@irinim.net>]

Well this was an embarrassing sort of problem.

The CA certificate was in the Users Trusted Root store, once I moved it 
to the Machine Trusted Root store all was well.

For anyone else ever hunting down this problem, the Windows RASTLS.log 
error messages I got were:

[4968] 21:57:59:046: SecurityContextFunction
[4968] 21:57:59:062: InitializeSecurityContext returned 0x80090325
[4968] 21:57:59:062: State change to RecdFinished. Error: 0x321

In freeradius it seemed like the login process just cycled forever, 
getting to the last message and the client just gave up.

In the Windows "Wireless Network Connection" dialog box it hung in 
attempting to verify and never moved on.

Thanks all for enduring my duh  moment with me.

v/r
-- Mike Olson

Michael Olson wrote:
> I tried upgrading to 2.0.0, very close to a stock default config and 
> I'm getting the same symptoms, user works, computer doesn't. Makes me 
> even more suspicious of my certificates. I updated the files listed 
> below to new logs generated from 2.0.0.
>
> I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to 
> the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that 
> to work and I posted the output from an openssl pkcs12 dump to 
> http://www.cs.odu.edu/~olson/eap/computer.p12.txt  , unfortunately 
> that didn't seem to help.
>
> I'm pretty much dead on ideas at this point, besides Ivan Kaliks 
> suggestion that I look into the $ appended to the machine name. (Which 
> I'm pursuing next.)
>
> Thanks
>
> -- Mike Olson
>
> Michael Olson wrote:
> > I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using 
> > machine
> > authentication. I set up FreeRADIUS following the guide at
> > http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and 
> > I'm using
> > OpenSSL to generate the cetificates.
> >
> > I can authenticate using user certificates fine, so I'm pretty sure 
> > all the Certificates & CA setup is right on the RADIUS server 
> > certificate, User certificate, and the Root Certificate. That leaves 
> > the Computer Certificate.
> >
> > I generated the computer certificate to have the common name be the 
> > machine
> > name (I've tried it plain and FQDN) and I've put the FQDN is the 
> > altSubjectName
> > field as well. It has the same usage extensions as the User 
> > certificates.  (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the 
> > AuthMode registry key to Computer Only (2), and it trys to 
> > authenticate which suggests that the workstation is okay with the 
> > certificate.
> >
> > Computer Certificate details: 
> > http://www.cs.odu.edu/~olson/eap/computer.crt.txt
> >
> > Other than that I can't think of where to look for a problem. 
> > Comparing logs between user and computer authentication I can see 
> > where it starts differing
> > but I can't find anything I can interpret as to why. Nothing seems to 
> > fail for
> > the computer, it just cycles endlessly.
> >
> > Successful User Authentication Log:
> >    http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
> >
> > Failed Computer Authentication Log:
> >    http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
> >
> > I also tossed out the windows tracing logs for both user and computer 
> > auth
> >    and anything else that seemed useful in    
> > http://www.cs.odu.edu/~olson/eap/
> >
> > Can anybody give me a pointer on where to look for problems?
> >
> > Thanks
> >
> > -- Mike Olson