XP SP3 an EAP-TLS partly solution (SOLVED)
nombrandue at tsukinokage.net
Thu Jan 29 15:58:07 CET 2009
Alexandros Gougousoudis wrote:
> just to give an update on my efforts to make XP SP3 work with EAP-TLS.
> Machine based EAP-TLS authentification works for WIRED connections
> fine, as I wrote in the last mail. BUT that doesn't mean that it works
> for wireless connections. :-) Before SP3 there wasn't a problem with
> that, with this alphaversion of service pack, it's not working.
> First of all, the things you need to do with the network-adapters
> profiles, using the netsh command aren't working in XP with wlan
> profiles, simply because the netsh command doesn't know "netsh wlan
> ..." (you get an error), Vista knows that context, XP SP3 not. So
> there is a Freeware utility zwlancfg here
> Get that and you can export and import the wlan profiles. But setting
> the authentification to
> as with wired connections, won't work. You always get a "no
> certificate found" error (the cert which is ok for wired connections!)
> and no connection.
> If the tool zwlancfg is setting up the connection manually, you get an
> "illegal authmode" error. So you need to have setup the connection to
> an machineOrUser authmode. It seems there is no machine authmode in XP
> SP3 anymore.
> As written by MS here:
> "This element is optional. When authMode is not specified in a
> profile, a value of |machineOrUser| is used. *Windows XP with SP3 and
> Wireless LAN API for Windows XP with SP2: *This element will be
> ignored if it is present in a profile"
> But stop! It's not that easy. :-) Because it's Microsoft, it always
> works a little, but never 100%. If no user is logged in (=
> Loginscreen), the connection is established (seen in the Radius log).
> If a user logs in, the connection is dropped and you get a "no cert"
> error. If the machine cert is included in the users context, using the
> cert-mgr, the connection is again established. So I have to install
> the machine cert for each user, which will login into the computer.
> And, hey, did I say that machine based EAP-TLS auth via WLAN worked in
> SP2, despite the MS information?
> It's definately not an Freeradius problem, but most people will look
> here to solve the problem. After a lot of googleing I found, that I
> must be the only one with that combination and problems.
> So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista!
> I'll post my solution here either. If someone likes to give me a hint,
> I'll be happy.
> List info/subscribe/unsubscribe? See
I have been seeing the SAME thing, in a way, from my one XP home client
(My laptop came with Vista, and I didn't care to move off it) and one
day the WLAN connected into my Wireless network, next day it didn't. I
suspected it was XP SP 3 but didn't dig too much into it, as wired
worked. I tested the setup last night, and in short what I was seeing
from my Radius (In debug mode: radiusd -X) was that the EAP-TLS was
established, the user name was passed (but didn't match the proper
realm, so that was discarded) and radius sent back a radius-challenge to
my WAP, and then onto the client, and nothing ever came back. a few
minutes later, I would get a Radius access request and repeat it, over
and over and over. I get prompted for the proper certs, and so forth
after tinkering with it for a little bit, but it still hasn't'
connected. Frustrating problem that I haven't seen a solution to yet,
which is similar to this problem, though slightly different.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5614 bytes
Desc: S/MIME Cryptographic Signature
More information about the Freeradius-Users