Windows mobile unable to authenticate [FreeRadius+Active directory]
Hi, FreeRadius version 3.0.13 We are using FreeRadius+Active directory setup in our environment to authenticate users for the WIFI. The clients are authenticated using server side cert + their Active directory credentials. This is working properly except windows phone users. Users who own windows phone are unable to authenticate via Freeradius. Below is the debug error log when they try to connect WIFI. (5829) Mon Jun 5 07:53:43 2017: Debug: eap: Calling submodule eap_peap to process data (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: Continuing EAP-TLS (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: [eaptls verify] = ok (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: Done initial handshake (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: [eaptls process] = ok (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: Session established. Decoding tunneled attributes (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: PEAP state send tlv success (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: Received EAP-TLV response (5829) Mon Jun 5 07:53:43 2017: Debug: eap_peap: Client rejected our response. The password is probably incorrect (5829) Mon Jun 5 07:53:43 2017: ERROR: eap_peap: We sent a success, but the client did not agree (5829) Mon Jun 5 07:53:43 2017: ERROR: eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed (5829) Mon Jun 5 07:53:43 2017: Debug: eap: Sending EAP Failure (code 4) ID 11 length 4 (5829) Mon Jun 5 07:53:43 2017: Debug: eap: Failed in EAP select Does any one of you know what the problem is? Thank in advance for the help.
On Jun 16, 2017, at 4:44 AM, Burn Zero <burnzerog@gmail.com> wrote:
We are using FreeRadius+Active directory setup in our environment to authenticate users for the WIFI. The clients are authenticated using server side cert + their Active directory credentials. This is working properly except windows phone users.
Users who own windows phone are unable to authenticate via Freeradius. Below is the debug error log when they try to connect WIFI.
The message says that the client is choosing to stop authentication. The problem is likely that the Windows phones are much more picky about the TLS certificate contents. What does that mean? I'm not sure... Microsoft doesn't document this, and the OS updates change the phone's behaviour. Try using different certificates. i.e. the ones created by the server when it's first installed. You'll need to run tests to see which certificates are acceptable by the phones. Alan DeKok.
does your RADIUS server cert have a CRLDP defined? alan On 16 June 2017 at 13:54, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 16, 2017, at 4:44 AM, Burn Zero <burnzerog@gmail.com> wrote:
We are using FreeRadius+Active directory setup in our environment to authenticate users for the WIFI. The clients are authenticated using server side cert + their Active directory credentials. This is working properly except windows phone users.
Users who own windows phone are unable to authenticate via Freeradius. Below is the debug error log when they try to connect WIFI.
The message says that the client is choosing to stop authentication.
The problem is likely that the Windows phones are much more picky about the TLS certificate contents. What does that mean? I'm not sure... Microsoft doesn't document this, and the OS updates change the phone's behaviour.
Try using different certificates. i.e. the ones created by the server when it's first installed. You'll need to run tests to see which certificates are acceptable by the phones.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Try using different certificates. i.e. the ones created by the server when it's first installed. You'll need to run tests to see which certificates are acceptable by the phones.
Alan DeKok.
Sorry for the long time delay. I tried different certificates but still the same issue. Android / Apple continue to work in all different certificates. --------
Alan Buxey does your RADIUS server cert have a CRLDP defined?
Yes, we have a proper CRLDP defined in the certs? Our cert is generated by internal PKI system.
most of the settings are documented out there as requirements. however, the certs generated as 'test/example' certs with a fresh install of FreeRADIUS work - you just need to ensure that the provided CA is installed/imported onto the device. so, use eg openssl and compare your certs to those provided by FreeRADIUS alan On 3 July 2017 at 07:22, Burn Zero <burnzerog@gmail.com> wrote:
Hi,
Try using different certificates. i.e. the ones created by the server when it's first installed. You'll need to run tests to see which certificates are acceptable by the phones.
Alan DeKok.
Sorry for the long time delay. I tried different certificates but still the same issue. Android / Apple continue to work in all different certificates.
--------
Alan Buxey does your RADIUS server cert have a CRLDP defined?
Yes, we have a proper CRLDP defined in the certs? Our cert is generated by internal PKI system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Jul 4, 2017 at 12:04 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
most of the settings are documented out there as requirements. however, the certs generated as 'test/example' certs with a fresh install of FreeRADIUS work - you just need to ensure that the provided CA is installed/imported onto the device.
so, use eg openssl and compare your certs to those provided by FreeRADIUS
I tried the default certificates too and I get the same error: ERROR: eap_peap: We sent a success, but the client did not agree
Hi All, An update. Finally got it working. I installed the Freeradius 3.0.14 version clean ( previously I think it didn't make it so clean) and it just worked. Then I compared my production server settings with the default one and made the required changes and it works in production too. Thanks a lot.
For the benefit of future users with same issues who come across this mailing list thread after a Google search it would be nice if you briefly noted what the issue was that fixed your clients in case they have similar issues (though it's good to know that the default config works! :) ) alan On 6 Jul 2017 12:02 pm, "Burn Zero" <burnzerog@gmail.com> wrote:
Hi All,
An update. Finally got it working. I installed the Freeradius 3.0.14 version clean ( previously I think it didn't make it so clean) and it just worked. Then I compared my production server settings with the default one and made the required changes and it works in production too.
Thanks a lot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
For the benefit of future users with same issues who come across this mailing list thread after a Google search it would be nice if you briefly noted what the issue was that fixed your clients in case they have similar issues (though it's good to know that the default config works! :) )
Yea, the default config just works :) Regarding the fix its just a simple config edit but it took longtime to find out because my production config was working with Apple and Android except windows phone. So after comparing the default inner-tunnel file with the production inner-tunnel file, sites-available/inner-tunnel: in the authorize section this was commented, but then I removed the comment and enabled it. eap { ok = return } Then in the authenticate section, I added mschap again before the eap. authenticate { Auth-Type MS-CHAP { mschap } mschap eap } } This modification worked. Thank you.
participants (3)
-
Alan Buxey -
Alan DeKok -
Burn Zero