windows7 machine authentication

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Tue Aug 24 16:48:39 CEST 2010 

> I dont use certificates neither on the server and neither  on the
client side.
> I read in teh internet that also windows7 should work without
certificates - is that true ?

Strictly speaking this is actually true, However! You need to understand
what is happening:

1) Win7 will not connect to a wireless network that is secured with a
certificate enabled protocol without some prior configuration, period.
	This means that is you set up an AP using 802.1x with FreeRADIUS
(or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL
NOT 
	Authenticate successfully unless you specifically configure the
client to do so.  Gone are the days of click through protected WiFi
setups in Windows.
	I have purchased a cert from thawte hoping that my clients will
trust it and allow the connection without manually touching each machine
but alas, no.

2) once correctly configured (depending on the auth protocol you are
using) the  client will accept the server's cert (the reason the auth is
failing now) and 
	send back its own cert for the server to inspect (if needed by
the protocol).

So, you ARE using certs. Did you install them, no.  Is that a problem,
yes.  When working with certs you should ALWAYS know them inside and
out, they are your 
	digital identity, and they do incur some legal implications.

If you need assistance configuring the windows clients to accept the
cert the server is sending, meet me on the IRC channel.  That is really
not a discussion for the list. ; )

Jake Sallee
Godfather Of Bandwidth
Network Engineer

Fone: 254-295-4658
Phax: 254-295-4221


-----Original Message-----
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.o
rg] On Behalf Of alois blasbichler
Sent: Tuesday, August 24, 2010 9:20 AM
To: freeradius-users at lists.freeradius.org
Subject: windows7 machine authentication

Hello list

We use freeradius with opendlap and machine-authentification
(samba-pcs) for years with success.
Windows xp and vista  clients works fine.
Now i wanted to authenticate a Windows 7 laptop and i get the following
errors :

[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 19 [eap] No EAP Start,
assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop


and then

[eap] Request found, released from the list [eap] EAP/peap [eap]
processing type peap [peap] processing EAP-TLS
   TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert
read:fatal:unknown CA
     TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation [peap] eaptls_process
returned 4


I dont use certificates neither on the server and neither  on the client
side.
I read in teh internet that also windows7 should work without
certificates - is that true ?


Wath can bee the problem ?
Do you need more debug-output ?

Thank you and by

luis


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list