TLS Athentifikation before Domain Logon XP
Hi, i searched the whole archive about this Problems but can not find an real answert to my Problem. I want Windows XP to authenticate to Freeradius when before the user Logs on the domain otherwise he would have no network connection to reach the PDC and the logon fails. It should be possible wit the XP Client and no other additional software. I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails. Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate. Greetings Armin
Does noone have got any idea how to solve this problem? Greetings Armin Hi, i searched the whole archive about this Problems but can not find an real answert to my Problem. I want Windows XP to authenticate to Freeradius when before the user Logs on the domain otherwise he would have no network connection to reach the PDC and the logon fails. It should be possible wit the XP Client and no other additional software. I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails. Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate. Greetings Armin
Armin Krämer wrote:
I tried out the registry patch AuthMode with a value of 2 whch causes windows to authenticate with the machine certificate only. Then I generated a client certificate with openssl with the special OID 1.3.6.1.4.1.311.17.2 which was posted in the mailing list some time ago. But with this certificate authentification fails.
The correct OIDs are: RADIUS server certificate: 1.3.6.1.5.5.7.3.1 (TLS Server Authentication) Client certificate: 1.3.6.1.5.5.7.3.2 (TLS Client Authentication)
Is there anybody who successfully managed that problem and can describe me how he solved this problem step by step. I think the problem is the machine certificate.
Bump up Schannel logging to see what's really happening: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL Key: EventLogging Value: 4 (log everything) -- Tim
"Timothy J. Miller" <tmiller@mitre.org> wrote:
The correct OIDs are:
RADIUS server certificate: 1.3.6.1.5.5.7.3.1 (TLS Server Authentication)
Client certificate: 1.3.6.1.5.5.7.3.2 (TLS Client Authentication)
For *user* logins. The *machine* login uses the other OID's. Alan DeKok.
Here, this is the only output of freeradius-X-A when i copy the Certifikate into the Machine Location in MMC-Computer Certificate and add the root certs also. What kind of OID is now correct for Machine Certifikate? The normal Client Authentifikation OID or an other? Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.252:3912, id=44, length=156 User-Name = "host/Notebook-AK.ak-server.de" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022c002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0x53d26ddeab0dd0406e4710707257e707 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 44 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 207 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 44 to 192.168.1.252:3912 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x012d00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc64cbbb104fb839fdb2c2cede14e4f2e Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 44 with timestamp 43be09ac Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.252:3913, id=45, length=156 User-Name = "host/Notebook-AK.ak-server.de" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0xfb2bddbd89303b852866ad099e315c52 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 45 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 207 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 45 to 192.168.1.252:3913 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x012e00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x399b87c79d22ab0ddb4e05e1d9a82ba0 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 45 with timestamp 43be09ba Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.252:3914, id=49, length=156 User-Name = "host/Notebook-AK.ak-server.de" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0231002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0xcd4c57a9fe6aee99122c8d49a5e53b67 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 49 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 207 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 49 to 192.168.1.252:3914 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x013200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc7e2274ffcdd02aa0f62849fcecac329 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 49 with timestamp 43be09c9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.252:3915, id=50, length=156 User-Name = "host/Notebook-AK.ak-server.de" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0232002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0x3ab989079d5ca1b3abfb0d32144ee2ab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 50 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 207 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 50 to 192.168.1.252:3915 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x013300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x393c81cd6ea79ede5fbcfee1323f3941 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 50 with timestamp 43be09d8 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.252:3916, id=56, length=156 User-Name = "host/Notebook-AK.ak-server.de" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0238002201686f73742f4e6f7465626f6f6b2d414b2e616b2d7365727665722e6465 Message-Authenticator = 0xca20e829fc17c4ebab2fe61953c82bd3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "host/Notebook-AK.ak-server.de", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 56 length 34 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 207 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 56 to 192.168.1.252:3916 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x013900060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa9e40551d301f9f826603a1b7c44c9c0 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 56 with timestamp 43be09e8 Nothing to do. Sleeping until we see a request. -----Ursprüngliche Nachricht----- Von: freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org [mailto:freeradius-users-bounces+kraemer.armin=web.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Freitag, 6. Januar 2006 21:03 An: FreeRadius users mailing list Betreff: Re: Noone anny idea fot --> TLS Athentifikation before Domain LogonXP? "Timothy J. Miller" <tmiller@mitre.org> wrote:
The correct OIDs are:
RADIUS server certificate: 1.3.6.1.5.5.7.3.1 (TLS Server Authentication)
Client certificate: 1.3.6.1.5.5.7.3.2 (TLS Client Authentication)
For *user* logins. The *machine* login uses the other OID's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Armin Krämer -
Timothy J. Miller