If you are using the default config then your eap.conf must have default_eap_type = md5 Try with peap. On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 26/10/11 14:58, Phil Mayers wrote:
On 26/10/11 14:47, Sergio NNX wrote:
This kind of Q&A thing helps no one here! Many people are reporting the same issue on different platforms! I don't think the problem is either with the client or the certificates since I conducted some testing using the same client and the same certificates but an old FR version (1.1.7) and the tests pass. It's easier to blame something else but we could spend that time contributing to the solution and so helping others!
In earnest: What exactly would you like us to do? Be specific. Bear in mind that no-one is paid to offer help here.
If you can reproduce the problem reliably, then do so. Carefully document the configs that work under 1.1.7, and fail under 2.1.12, including the client configuration. Give that information to the list, and I'm sure if people are interested, they will take a look.
If no-one is interested, you should start investigating the problem yourself - FreeRADIUS is open source. If you lack the skills locally, hire a contractor.
I will try to find some time today to test machine auth.
Sorry, this is long.
tl;dr version - under Windows 7, if you import the CA certificate into the "Trusted Root Certification Authorities" hierarchy in the MMC "Certificates" snap-in, Windows 7 user- and machine-auth work just fine against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.
It works for me.
===
I have just tested machine auth on a Windows 7 client. Everything works as I expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default configs, I made two changes:
1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so:
ntlm_auth = "... --username=%{mschap:User-Name} ..."
2. Edit "clients.conf" to add an entry for the switch
I then started FreeRADIUS, and it auto-generated the certificates. I then tried a sequence of things on the Windows client.
First - open the "services" MMC snap-in, and start (and set to auto-start) the "Wired autoconfig" service
Second - open the network adapter list, right-click on the wired adapter, and enable authentication using the default settings (PEAP, MSCHAP inner) except that I unchecked "use my windows domain login / password"
I then enabled 802.1x on the port facing the machine.
== 1st auth ==
Failed. Client did the TLS negotiation, and returned the following error to FreeRADIUS:
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
This is expected; we haven't yet imported the client cert into the certificate store.
== 2nd auth ==
Copy the "ca.cer" file onto the client, double-click on it, follow the prompts using the defaults. This didn't work - the client did not import the cert, despite appearing to, so auth again failed.
== 3rd auth ==
Open "mmc", add the "Certificates" snap-in for "My user account". In the snap-in, expand the "Trusted Root Certification Authorities" folder, and right click on the "Certificates" child - select "All Tasks", "Import...". Browse to the cert & import it. You will be prompted saying "Windows cannot verify ..." - click OK.
You should now see the example cert in the list.
Re-start the 802.1x auth (unplug/reconnect).
You will be prompted for a username/password, as before - this time, auth will succeed.
== 4th auth ==
Return to the network adapter settings. Right-click, select properties. Go to the Authentication tab, select "Additional settings", and tick the "Specify authentication mode" box, and select "Computer authentication" from the drop-down.
The machine will re-authenticate and, as expected, fail with a bad CA alert:
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
== 5th auth ==
Return to the "mmc" window; add the "Certificates" snap-in for the computer account. Again, expand "Trusted Root Certification Authorities" and right-click on "Certificates" and select "All tasks", "Import..". Browse to the "ca.cer" and import it.
Re-start authentication. Authentication will work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html