Thank you Matthew for the clarification I could successfully get the windows 7 client to try and make a request (you defiantly need to have the certs imported into exactly the correct spots). But now my debug log says that its failing. This is a default 2.1.12 install with the switch added to the clients.conf file.<div>
<br></div><div><div><br></div><div><div>rad_recv: Access-Request packet from host 10.11.200.73 port 1645, id=204, length=180</div><div> User-Name = "host/<a href="mailto:user@example.com">user@example.com</a>"</div>
<div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div>
EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d</div><div> Message-Authenticator = 0x41f4a411366a244a23e887c859436d0b</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div>
<div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> NAS-IP-Address = 10.11.200.73</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div>
<div>++[preprocess] returns ok</div><div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "host/<a href="mailto:user@example.com">user@example.com</a>"</div>
<div>[suffix] Found realm "<a href="http://example.com">example.com</a>"</div><div>[suffix] Adding Stripped-User-Name = "host/user"</div><div>[suffix] Adding Realm = "<a href="http://example.com">example.com</a>"</div>
<div>[suffix] Proxying request from user host/user to realm <a href="http://example.com">example.com</a></div><div>[suffix] Preparing to proxy authentication request to realm "<a href="http://example.com">example.com</a>"</div>
<div>++[suffix] returns updated</div><div>[eap] Request is supposed to be proxied to Realm <a href="http://example.com">example.com</a>. Not doing EAP.</div><div>++[eap] returns noop</div><div>++[files] returns noop</div>
<div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>++[pap] returns noop</div><div> WARNING: Empty pre-proxy section. Using default return values.</div><div>Sending Access-Request of id 231 to 127.0.0.1 port 1812</div>
<div> User-Name = "host/user"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div>
<div> EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div>
<div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> NAS-IP-Address = 10.11.200.73</div><div> Proxy-State = 0x323034</div><div>Proxying request 0 to home server 127.0.0.1 port 1812</div><div>
Sending Access-Request of id 231 to 127.0.0.1 port 1812</div><div> User-Name = "host/user"</div><div> Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div>
<div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div>
<div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div> NAS-IP-Address = 10.11.200.73</div><div> Proxy-State = 0x323034</div>
<div>Going to the next request</div><div>Waking up in 0.9 seconds.</div><div>rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=231, length=171</div><div> User-Name = "host/user"</div><div>
Service-Type = Framed-User</div><div> Framed-MTU = 1500</div><div> Called-Station-Id = "9C-AF-CA-F4-40-10"</div><div> Calling-Station-Id = "64-31-50-7D-72-DE"</div><div> EAP-Message = 0x0201001a01686f73742f75736572406578616d706c652e636f6d</div>
<div> Message-Authenticator = 0x0d22b2b1d5102149a8c1c731bc6613dd</div><div> NAS-Port-Type = Ethernet</div><div> NAS-Port = 50016</div><div> NAS-Port-Id = "GigabitEthernet0/16"</div><div>
NAS-IP-Address = 10.11.200.73</div><div> Proxy-State = 0x323034</div><div># Executing section authorize from file /etc/raddb/sites-enabled/default</div><div>+- entering group authorize {...}</div><div>++[preprocess] returns ok</div>
<div>++[chap] returns noop</div><div>++[mschap] returns noop</div><div>++[digest] returns noop</div><div>[suffix] No '@' in User-Name = "host/user", looking up realm NULL</div><div>[suffix] No such realm "NULL"</div>
<div>++[suffix] returns noop</div><div>[eap] EAP packet type response id 1 length 26</div><div>[eap] No EAP Start, assuming it's an on-going EAP conversation</div><div>++[eap] returns updated</div><div>++[files] returns noop</div>
<div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.</div><div>++[pap] returns noop</div>
<div>Found Auth-Type = EAP</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>+- entering group authenticate {...}</div><div>[eap] Identity does not match User-Name, setting from EAP Identity.</div>
<div>[eap] Failed in handler</div><div>++[eap] returns invalid</div><div>Failed to authenticate the user.</div><div>Using Post-Auth-Type Reject</div><div># Executing group from file /etc/raddb/sites-enabled/default</div><div>
+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> host/user</div><div>attr_filter: Matched entry DEFAULT at line 11</div><div>++[attr_filter.access_reject] returns updated</div>
<div>Delaying reject of request 1 for 1 seconds</div><div>Going to the next request</div><div>Waking up in 0.9 seconds.</div><div>Sending delayed reject for request 1</div><div>Sending Access-Reject of id 231 to 127.0.0.1 port 1814</div>
<div> Proxy-State = 0x323034</div><div>Waking up in 4.9 seconds.</div><div>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=231, length=25</div><div> Proxy-State = 0x323034</div><div># Executing section post-proxy from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group post-proxy {...}</div><div>[eap] No pre-existing handler found</div><div>++[eap] returns noop</div><div>Using Post-Auth-Type Reject</div><div># Executing group from file /etc/raddb/sites-enabled/default</div>
<div>+- entering group REJECT {...}</div><div>[attr_filter.access_reject] expand: %{User-Name} -> host/<a href="mailto:user@example.com">user@example.com</a></div><div>attr_filter: Matched entry DEFAULT at line 11</div>
<div>++[attr_filter.access_reject] returns updated</div><div>Sending Access-Reject of id 204 to 10.11.200.73 port 1645</div><div>Finished request 0.</div><div>Going to the next request</div><div>Waking up in 4.9 seconds.</div>
<div>Cleaning up request 1 ID 231 with timestamp +14</div><div>Cleaning up request 0 ID 204 with timestamp +14</div><div>Ready to process requests.</div></div></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Dec 7, 2012 at 2:23 PM, Matthew Newton <span dir="ltr"><<a href="mailto:mcn4@leicester.ac.uk" target="_blank">mcn4@leicester.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, Dec 07, 2012 at 12:39:13PM -0600, Dan Letkeman wrote:<br>
> Sorry, I was not clean with my setup information. We do not have a domain,<br>
> these are stand alone windows 7 devices. We also have some tablets and<br>
> some linux boxes. Concern right now is the Windows 7 devices. I didn't<br>
> know that you cannot do machine authentication without a domain....<br>
<br>
</div>You can, but you'll need to handle the certificates on the hosts<br>
manually. That's usually such a pain that the only real solution<br>
is to use AD. If you've got a small number of devices, or can<br>
write some other automated method of deploying certs, then it can<br>
be possible to handle.<br>
<br>
What you /can't/ do is both User auth (mschap - username +<br>
password) *and* Computer auth (certificates - EAP-TLS) in the same<br>
connection, as the default Windows supplicant, like most, doesn't<br>
support client certificates with PEAP (and user auth - mschap -<br>
needs to be inside PEAP).<br>
<div class="im"><br>
> User authentication in my environment is just not an option because all of<br>
> the devices need to have a connection to the network at all times even if<br>
> nobody is logged in. Should I be using PEAP/EAP-TLS instead?<br>
<br>
</div>There are no good reasons for doing PEAP/EAP-TLS unless you want<br>
to use SoH. PEAP adds overhead to the auth, with no added benefit.<br>
<div class="im"><br>
> If so do you know of any good setup documentation for that?<br>
<br>
</div>I wrote up how to do PEAP/EAP-TLS a while back - you can find it<br>
here: <a href="http://q.asd.me.uk/pet" target="_blank">http://q.asd.me.uk/pet</a><br>
<br>
That said - your connection is trying to do PEAP, so you've<br>
configured your client for either 'certifiates' or mschap inside<br>
PEAP. I forget the exact options in the interface, but you need to<br>
choose 'certificates' rather than 'PEAP', then select the client<br>
certificate that you want to auth with - which will be one that is<br>
signed by the same CA that the CA_file option in your FreeRADIUS<br>
eap.conf file points to. Make sure it's set to 'Computer' auth,<br>
not 'User' or 'User + Computer'.<br>
<br>
In theory, you'll then find that it Just Works. But the Windows<br>
config interface takes a bit of head scratching to get around<br>
until you understand what it's doing under the hood.<br>
<br>
Cheers<br>
<span class="HOEnZb"><font color="#888888"><br>
Matthew<br>
<br>
<br>
--<br>
Matthew Newton, Ph.D. <<a href="mailto:mcn4@le.ac.uk">mcn4@le.ac.uk</a>><br>
<br>
Systems Architect (UNIX and Networks), Network Services,<br>
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom<br>
<br>
For IT help contact helpdesk extn. 2253, <<a href="mailto:ithelp@le.ac.uk">ithelp@le.ac.uk</a>><br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>