XP SP3 an EAP-TLS partly solution (SOLVED)

Seann Clark nombrandue at tsukinokage.net
Thu Jan 29 15:58:07 CET 2009

Alexandros Gougousoudis wrote:
> Hi,
> just to give an update on my efforts to make XP SP3 work with EAP-TLS.
> Machine based EAP-TLS authentification works for WIRED connections 
> fine, as I wrote in the last mail. BUT that doesn't mean that it works 
> for wireless connections. :-) Before SP3 there wasn't a problem with 
> that, with this alphaversion of service pack, it's not working.
> First of all, the things you need to do with the network-adapters 
> profiles, using the netsh command aren't working in XP with wlan 
> profiles, simply because the netsh command doesn't know "netsh wlan 
> ..." (you get an error), Vista knows that context, XP SP3 not. So 
> there is a Freeware utility zwlancfg here 
> http://www.engl.co.uk/products/zwlancfg/index.html
> Get that and you can export and import the wlan profiles. But setting 
> the authentification to
> <authMode>machine</authMode>
> as with wired connections, won't work. You always get a "no 
> certificate found" error (the cert which is ok for wired connections!) 
> and no connection.
> If the tool zwlancfg is setting up the connection manually, you get an 
> "illegal authmode" error. So you need to have setup the connection to 
> an machineOrUser authmode. It seems there is no machine authmode in XP 
> SP3 anymore.
> As written by MS here: 
> http://msdn.microsoft.com/en-us/library/ms706279.aspx
> "This element is optional. When authMode is not specified in a 
> profile, a value of |machineOrUser| is used. *Windows XP with SP3 and 
> Wireless LAN API for Windows XP with SP2:  *This element will be 
> ignored if it is present in a profile"
> But stop! It's not  that easy. :-)  Because it's Microsoft, it always 
> works a little, but never 100%.  If no user is logged in (= 
> Loginscreen), the connection is established (seen in the Radius log). 
> If a user logs in, the connection is dropped and you get a "no cert" 
> error. If the machine cert is included in the users context, using the 
> cert-mgr, the connection is again established. So I have to install 
> the machine cert for each user, which will login into the computer. 
> And, hey, did I say that machine based EAP-TLS auth via WLAN worked in 
> SP2, despite the MS information?
> It's definately not an Freeradius problem, but most people will look 
> here to solve the problem. After a lot of googleing I found, that I 
> must be the only one with that combination and problems.
> So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista!
> I'll post my solution here either. If someone likes to give me a hint, 
> I'll be happy.
> cu
> Alex
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
I have been seeing the SAME thing, in a way, from my one XP home client 
(My laptop came with Vista, and I didn't care to move off it) and one 
day the WLAN connected into my Wireless network, next day it didn't. I 
suspected it was XP SP 3 but didn't dig too much into it, as wired 
worked. I tested the setup last night, and in short what I was seeing 
from my Radius (In debug mode: radiusd -X) was that the EAP-TLS was 
established, the user name was passed (but didn't match the proper 
realm, so that was discarded) and radius sent back a radius-challenge to 
my WAP, and then onto the client, and nothing ever came back. a few 
minutes later, I would get a Radius access request and repeat it, over 
and over and over. I get prompted for the proper certs, and so forth 
after tinkering with it for a little bit, but it still hasn't' 
connected.  Frustrating problem that I haven't seen a solution to yet, 
which is similar to this problem, though slightly different.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5614 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090129/c7355852/attachment.bin>

More information about the Freeradius-Users mailing list