Connection before logon
Hi I am sure this must be a commonly asked question, but after hours of searching I just can't seem to find the answer. I've spent hours trawling through google and searching the archives to no avail. I am sure I am missing something simple, but can't put my finger on it. There are several posts of similar topic but no answer (or answer that works). In my case, I have freeradius installed to use EAP-TLS, Windows XPSP2 clients exclusively. The authentication works fine after logging on using a local account. I have the same certificates in both the local users certificate store and the computer account certificate store. The debug output for freeradius, when the computer is first switched on and before logging on, simply shows repeated Access-Request packets like the one below. It basically simply repeats. Can anyone shed any light at all, or point me in other directions to search? TIA Fil --Debug Output-- Cleaning up request 8 ID 2 with timestamp 45fa940f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.50:1054, id=4, length=207 Message-Authenticator = 0xc45158cab736178c590d01cee92bc6cc Service-Type = Framed-User User-Name = "host/SACM0734" Framed-MTU = 1488 Called-Station-Id = "XXXXXXXXXXXXXXXXXXX" Calling-Station-Id = "XXXXXXXXXXXXXXXXX" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0204001201686f73742f5341434d30373334 NAS-IP-Address = 192.168.1.50 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_realm: No '\' in User-Name = "host/SACM0734", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 9 rlm_eap: EAP packet type response id 4 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched host/SACM0734 at 66 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 9 modcall: group authenticate returns handled for request 9 Sending Access-Challenge of id 4 to 192.168.1.50:1054 EAP-Message = 0x010500060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfa4829561866ec99c1e1c3ace47e3f57 Finished request 9 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 4 with timestamp 45fa942d Nothing to do. Sleeping until we see a request.
Phil Scarratt wrote:
Hi
I am sure this must be a commonly asked question, but after hours of searching I just can't seem to find the answer. I've spent hours trawling through google and searching the archives to no avail. I am sure I am missing something simple, but can't put my finger on it. There are several posts of similar topic but no answer (or answer that works).
In my case, I have freeradius installed to use EAP-TLS, Windows XPSP2 clients exclusively. The authentication works fine after logging on using a local account. I have the same certificates in both the local users certificate store and the computer account certificate store. The debug output for freeradius, when the computer is first switched on and before logging on, simply shows repeated Access-Request packets like the one below. It basically simply repeats.
Can anyone shed any light at all, or point me in other directions to search?
Fixed my own problem...:)...after a nights sleep and further thinking and testing (tcpdump, AP log files, etc etc) I concluded that the XP client was simply not responding to the EAP Authorize-Challenge, which the most likely reason would be that it had a problem with certificates (either not installed properly or could not find one suitable). As I could verify easily that the certificate was there (using mmc and Certificates snap-in), I tried generating a different certificate with host/ as part of the CN, importing that (and deleting the old one). No go either. However, on deleting this new cert and re-importing the old one using mmc, all worked like a charm. I think probably what happened, (for archive purposes) was that the original howto I followed was not overly interested in machine logons, so had said to double-click the certificate and let the machine pick where to store it. I have then later used mmc to drag and drop the certificate into the computer account's personal certificate store. This obviously did not do the correct thing. Importing using MMC direct to the computer accounts personal cert store did. Fil
participants (1)
-
Phil Scarratt