EAP-TLS and Windows 10 fails for wireless
Hello everyone, I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge". I'm running freeradius-server 3.0.11 with customized demo certificates: I've integrated the certificate configuration changes from the branch 3.1.x, and also created a unencrypted key (.p12) for my Windows client. I've installed the root CA certificate (.der) and the client key (.p12) into the User's certificate store on the Windows client. During my troubleshooting, I've searched for other error reports for EAP-TLS & Windows: * TLS version compatibility -> I've forced Windows to use TLS 1.2 (add DWORD TlsVersion register) (unnecessary but done). * 802.11 version compatibility -> I've tried both 802.11a+g mode and 802.11b+g+n mode on the access point. I've also noted that the Windows 10 laptop can connect when wireless encryption is disabled. * server certificate requirements -> Windows successfully authenticates in PEAP mode with the dummy "bob" user when "Verify server certificate" is checked in EAP-TLS parameters * root CA certificate requirements * user certificate requirement * user key requirement (no encryption) -> Windows successfully authenticate in EAP-TLS mode on the wired connection. So all certificates are correctly installed, and Windows can use the client's cert/key to authenticate. I've tried to get some debugging info with the command: netsh wlan set tra yes netsh ras set tr * en <connection attempt> netsh ras set tr * dis netsh wlan set tra no However I got a handful of files, which ones are relevant ? The only advice I got from them is to check TLS and 802.11 compatibility. Could someone kindly advise me to the next point ? Has anyone run into a similar problem ? Following is the failing connection log from freeradius-server: # radiusd -X [...] Server core libs: freeradius-server : 3.0.11 talloc : 2.0.* ssl : 1.0.1j release pcre : 8.11 2010-12-10 [...] tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius2/certs" pem_file_type = yes private_key_file = "/etc/freeradius2/certs/server.key" certificate_file = "/etc/freeradius2/certs/server.pem" ca_file = "/etc/freeradius2/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/freeradius2/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cache { enable = yes lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } [...] (33) Received Access-Request Id 42 from 10.1.1.2:32962 to 10.255.255.251:1812 length 163 (33) User-Name = "eloi" (33) Called-Station-Id = "06-F0-21-11-27-D1:acksys" (33) NAS-Port-Type = Wireless-802.11 (33) NAS-Port = 1 (33) Calling-Station-Id = "24-77-03-1F-B6-78" (33) Connect-Info = "CONNECT 54Mbps 802.11a" (33) Acct-Session-Id = "5415B2E9-00000003" (33) Framed-MTU = 1400 [...] (33) eap: Peer sent packet with method EAP Identity (1) (33) eap: Calling submodule eap_tls to process data (33) eap_tls: Initiating new EAP-TLS session (33) eap_tls: Setting verify mode to require certificate from client (33) eap_tls: [eaptls start] = request (33) eap: Sending EAP Request (code 1) ID 151 length 6 (33) eap: EAP session adding &reply:State = 0xe01d52c2e08a5f27 [...] (34) Received Access-Request Id 43 from 10.1.1.2:32962 to 10.255.255.251:1812 length 350 [...] (34) eap: Peer sent EAP Response (code 2) ID 151 length 178 [...] (34) eap: Peer sent packet with method EAP TLS (13) (34) eap: Calling submodule eap_tls to process data (34) eap_tls: Continuing EAP-TLS (34) eap_tls: Peer indicated complete TLS record size will be 168 bytes (34) eap_tls: Got complete TLS record (168 bytes) (34) eap_tls: [eaptls verify] = length included (34) eap_tls: (other): before/accept initialization (34) eap_tls: TLS_accept: before/accept initialization (34) eap_tls: <<< recv TLS 1.2 [length 00a3] (34) eap_tls: TLS_accept: SSLv3 read client hello A (34) eap_tls: >>> send TLS 1.2 [length 0051] (34) eap_tls: TLS_accept: SSLv3 write server hello A (34) eap_tls: >>> send TLS 1.2 [length 08d9] (34) eap_tls: TLS_accept: SSLv3 write certificate A (34) eap_tls: >>> send TLS 1.2 [length 030f] (34) eap_tls: TLS_accept: SSLv3 write key exchange A (34) eap_tls: >>> send TLS 1.2 [length 00ba] (34) eap_tls: TLS_accept: SSLv3 write certificate request A (34) eap_tls: TLS_accept: SSLv3 flush data (34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (34) eap_tls: In SSL Handshake Phase (34) eap_tls: In SSL Accept mode (34) eap_tls: [eaptls process] = handled (34) eap: Sending EAP Request (code 1) ID 152 length 1014 (34) eap: EAP session adding &reply:State = 0xe01d52c2e1855f27 [...] (34) Sent Access-Challenge Id 43 from 10.255.255.251:1812 to 10.1.1.2:32962 length 0 [...] (35) Received Access-Request Id 44 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (36) Received Access-Request Id 45 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (37) Received Access-Request Id 46 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (38) Received Access-Request Id 0 from 10.1.1.2:41720 to 10.255.255.251:1812 length 163 [...] (39) Received Access-Request Id 1 from 10.1.1.2:41720 to 10.255.255.251:1812 length 350 [...] (39) eap: Expiring EAP session with state 0xe01d52c2e4865f27 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! EAP session with state 0xe01d52c2e4865f27 did not finish! !! !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- Lucile Quirion Consultante en logiciels libres Savoir-faire Linux Tel: + 1 (514) 276 5468, ext. 312
[...] (34) Sent Access-Challenge Id 43 from 10.255.255.251:1812 to 10.1.1.2:32962 length 0 [...] (35) Received Access-Request Id 44 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (36) Received Access-Request Id 45 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (37) Received Access-Request Id 46 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 [...] (38) Received Access-Request Id 0 from 10.1.1.2:41720 to 10.255.255.251:1812 length 163 [...] (39) Received Access-Request Id 1 from 10.1.1.2:41720 to 10.255.255.251:1812 length 350 [...] (39) eap: Expiring EAP session with state 0xe01d52c2e4865f27
Woo lets play the remove all the useful data game... -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Jun 9, 2016, at 5:30 PM, Lucile Quirion <lucile.quirion@savoirfairelinux.com> wrote:
I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge".
The Windows machine doesn't like the certificates. Why? Ask Windows. The testing certificates work.
Has anyone run into a similar problem ?
Lots of people.
Following is the failing connection log from freeradius-server:
And... heavily edited. Why? Alan DeKok.
I manage a flat share for plenty years and have FR running and well configured. I also use EAP-TLS and certificates. I NEVER had a problem with Windows 7 or 8 or 8.1 getting it to connect wireless. Only Windows 10 does not work. My advice: format the HDD and install Windows 7 or if you like it less productive but more fancy Windows 8.1. 2016-06-10 0:10 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Jun 9, 2016, at 5:30 PM, Lucile Quirion <lucile.quirion@savoirfairelinux.com> wrote:
I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge".
The Windows machine doesn't like the certificates.
Why? Ask Windows.
The testing certificates work.
Has anyone run into a similar problem ?
Lots of people.
Following is the failing connection log from freeradius-server:
And... heavily edited.
Why?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 9 Jun 2016, at 21:12, Ben Humpert <ben@an3k.de> wrote:
I manage a flat share for plenty years and have FR running and well configured. I also use EAP-TLS and certificates. I NEVER had a problem with Windows 7 or 8 or 8.1 getting it to connect wireless. Only Windows 10 does not work. My advice: format the HDD and install Windows 7 or if you like it less productive but more fancy Windows 8.1.
Or install v3.1.x which is stable now! (except for bug fixes). ...and use the improved debugging output to help us figure out what's going on. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Thanks for your reply.
Or install v3.1.x which is stable now! (except for bug fixes). I've installed v3.1x and the problem resolved itself.
The Wi-fi menu went through the following steps on Windows 10 laptop (the certificates are already installed and the wireless connection was manually added): * Choose a certificate [Ok] * Checking network requirements * Continue connecting ? If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name. [Show certificate details] [Connect] [Cancel] * Checking network requirements And the connection was established. With freeradius v3.0.11, the menu would stuck at the first "Checking network requirement" for several minutes. -- Lucile Quirion Consultante en logiciels libres Savoir-faire Linux Tel: + 1 (514) 276 5468, ext. 312
I was wrong. Windows 10 can authenticate against freeradius v3.0.11 via EAP-TLS. My Access point is plugged to a switch and the switch transmits only UPD:1812 IP packets to the server. I found out that the switch was dropping non-initial fragments of the IP packets. It was preventing the user to complete the SSL handshake (the last Access-Request message was fragmented). Thanks again. -- Lucile Quirion Consultante en logiciels libres Savoir-faire Linux Tel: + 1 (514) 276 5468, ext. 312
Hi,
I've installed v3.1x and the problem resolved itself. The Wi-fi menu went through the following steps on Windows 10 laptop (the certificates are already installed and the wireless connection was manually added): * Choose a certificate [Ok] * Checking network requirements * Continue connecting ? If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name. [Show certificate details] [Connect] [Cancel] * Checking network requirements And the connection was established.
It's funny how some people think that the workflow above equals "it works". If Windows asks the "Show cert details / do you expect" question, then this means the server certificate and CA chain checks *failed* and it's resorting to user-interactive "D'oh, I'm guessing" mode. So, security-wise, seeing this workflow means your setup is still broken; just more subtly than before. Greetings, Stefan Winter
On 12 Jun 2016, at 16:38, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
I've installed v3.1x and the problem resolved itself. The Wi-fi menu went through the following steps on Windows 10 laptop (the certificates are already installed and the wireless connection was manually added): * Choose a certificate [Ok] * Checking network requirements * Continue connecting ? If you expect to find acksys in this location, go ahead and connect. Otherwise, it may be a different network with the same name. [Show certificate details] [Connect] [Cancel] * Checking network requirements And the connection was established.
It's funny how some people think that the workflow above equals "it works". If Windows asks the "Show cert details / do you expect" question, then this means the server certificate and CA chain checks *failed* and it's resorting to user-interactive "D'oh, I'm guessing" mode.
So, security-wise, seeing this workflow means your setup is still broken; just more subtly than before.
http://www.slideshare.net/ArranCudbardBell/networkshop44 See slides 6-16 :) -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Ben Humpert -
Lucile Quirion -
Stefan Winter