windows 7 eap-tls authentication
hi list, i want to authenticate windows 7 computers with tls certificates. the certs have the special windows OIDs, but i still get the error from below. on the website http://wiki.freeradius.org/Certificate_Compatibility there is only winxp mentioned. is there maybe any difference with windows 7? has anyone done this or a hint whats going wrong? thanks in advance, chris --- rad_recv: Access-Request packet from host 172.16.64.240 port 1645, id=133, length=153 User-Name = "host/cb-nb" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-12-01-1B-2A-40" Calling-Station-Id = "00-24-7E-6B-E4-BE" EAP-Message = 0x0202000f01686f73742f63622d6e62 Message-Authenticator = 0xdfa853b693abac5cede3b893dac561ba NAS-Port-Type = Ethernet NAS-Port = 50217 NAS-Port-Id = "FastEthernet2/17" NAS-IP-Address = 172.16.64.240 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 133 to 172.16.64.240 port 1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebeac82aebe9c52b6c542d897c25837b Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 133 with timestamp +15 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xebeac82aebe9c52b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. ---
Hi On Wed, Apr 04, 2012 at 01:47:54PM +0200, Christian Bösch wrote:
the certs have the special windows OIDs, but i still get the error from below.
The oids are only one reason for that error, but it is a very common reason for this issue. The basic problem is that, for some reason, Windows gave up and just didn't reply to the EAP-TLS start. If in doubt, use the default FR config, get it to generate the certs (which will be done properly) and install and test with that. Then you should know that the FR/cert side is 100% ok, and it must be your Windows settings. Then tweak from there.
on the website http://wiki.freeradius.org/Certificate_Compatibility there is only winxp mentioned. is there maybe any difference with windows 7? has anyone done this or a hint whats going wrong?
EAP-TLS definitely works with Windows 7. Check it's set for 'computer' authentication, and the certificates are all installed in the right places, including any intermediate certs (although you're not getting as far as that, it seems). Also make sure you have just one client cert in the computer account personal cert store - more than one can confuse things, as it probably won't pick the one you want. Make sure you've set the connection to 'certificate', rather than 'PEAP'. FR is correctly sending EAP type 0d (eap-tls) back, and I'm not sure what Windows does if it's incorrectly expecting to do peap here. Generally, though, it just works. Unfortunately I've not yet found any way to get decent debugging info out of Windows, such as you can get from things like wpa-supplicant. Matthew
--- rad_recv: Access-Request packet from host 172.16.64.240 port 1645, id=133, length=153 User-Name = "host/cb-nb" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-12-01-1B-2A-40" Calling-Station-Id = "00-24-7E-6B-E4-BE" EAP-Message = 0x0202000f01686f73742f63622d6e62
eap response/identity
Message-Authenticator = 0xdfa853b693abac5cede3b893dac561ba NAS-Port-Type = Ethernet NAS-Port = 50217 NAS-Port-Id = "FastEthernet2/17" NAS-IP-Address = 172.16.64.240 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 133 to 172.16.64.240 port 1645 EAP-Message = 0x010300060d20
eap request, type=eap-tls, start.
Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebeac82aebe9c52b6c542d897c25837b Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 133 with timestamp +15 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xebeac82aebe9c52b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
windows never responds.
Ready to process requests. ---
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Christian Bösch -
Matthew Newton