Hi, I'am still having some problems using EAP-TLS with SP3 on XP. Though I have a partly solution, after excessive googeling. I will provide it here, because I think a lot of people must have the same problems and if they're using Freeradius, they will probably look here. I found that you can't use a registry patch anymore to enable a machine-based authentification. You need to use XML Files to make a profile and load it within XP. MS explained that very well in: http://support.microsoft.com/?scid=kb%3Ben-us%3B929847&x=16&y=10 You need to do it that way, regardless if you have a wired or wlan setup. So I was very excited, but it's still not working. My radiusd -X -A shows exactly nothing, if XP reboots, there is no ongoing conversation or an error. So I enabled debug logging in xp and found some interessting lines. I thought, because radius isn't writing anything to the screen, that XP isn't sending anything that was wrong. OneXModule.LOG says (only quoting lines with "error"): [1516] 01-22 14:19:31:093: Port(2): 802.1X authentication failed with reason = "Empfang eines expliziten Eap-Fehlers" and error code = 0x40420110 ... [1516] 01-22 14:19:31:109: (MarshallEapError:1392) Allocated memory 000E1E00, size = 432 ... [1512] 01-22 14:19:31:109: (FreeEapError:1302) Freed memory 000CA730 [1512] 01-22 14:19:31:109: (FreeEapError:1303) Freed memory 000CCFC0 [1512] 01-22 14:19:31:109: (FreeEapError:1304) Freed memory 000CAC60 ... [1904] 01-22 14:19:49:250: Port(3): Received a failure indication from the local Eap dll with error code 0x40420110 and reason code 0x40420110 [1904] 01-22 14:19:49:250: Port(3): Eap error info contains winError=0x40420110, reasonCode=0x40420110, EapMethod(Type=0), rootCauseString=Fehler bei der Authentifizierung, weil ein Problem mit dem Benutzerkonto besteht. [1904] 01-22 14:19:49:250: (DuplicateEapError:1320) Allocated memory 000C6290, size = 80 The rootCauseString means: "Error with authentification, because there is a problem with the useraccount". The errorcode is unkown to google. EAPOL.LOG says: [1148] 14:18:17:781: ElRegistryUpdateXPBeta2: Error in RegOpenKeyEx for base key, 2 [1148] 14:18:17:828: ElUpdateRegistry: ElRegistryUpdateXPBeta2 failed with error 2 [1148] 14:18:17:828: QEC Init succeeded with dwRetCode = 0 [1148] 14:18:17:828: ElMediaInit: Entered [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for cwszSupplicantMode, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for cwszPMKCacheMode, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for cwszPMKCacheTTL, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for cwszPMKCacheSize, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for PreauthMode, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for PreauthTimeout, 2, InfoSize=4 [1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in RegQueryValueEx for cwszPreauthThrottle, 2, InfoSize=4 ... [1148] 14:18:17:921: ElGetWinStationUserToken: GetWinStationUserToken failed for SessionId (0) with error (1702) [1148] 14:18:17:921: ElGetWinStationUserToken: GetCurrentUserTokenW failed with error (1245) ... So whats the problem? Is there some kine of Registry hassle? I took a new PC with a new XP Pro (inkl. SP3) installed. There are no old leftovers. So eap looks very buggy and beta. The certs are ok, they work with XP SP2, so why doesn't want SP3 it? I'am using now Freeradius 1.1.6 (I had 1.1.0) and made no changes to my setup or config files, since XP SP2, Win2000 and Linux authenticate without problems. Do I have to change something in Freeradius to make it work, beside upgrade the version? Is anyone around here doing an EAP-TLS with XP SP3 machines? Please give a hint. I'd love to owe you a beer. :-) TIA Alex
So whats the problem? Is there some kine of Registry hassle? I took a new PC with a new XP Pro (inkl. SP3) installed. There are no old leftovers. So eap looks very buggy and beta. The certs are ok, they work with XP SP2, so why doesn't want SP3 it?
I'am using now Freeradius 1.1.6 (I had 1.1.0) and made no changes to my setup or config files, since XP SP2, Win2000 and Linux authenticate without problems. Do I have to change something in Freeradius to make it work, beside upgrade the version?
You should upgrade to the latest version. If that doesn't cure it, try making client certificate signed by the CA and not server certificate. Ivan Kalik Kalik Informatika ISP
Hi Ivan, tnt@kalik.net schrieb:
You should upgrade to the latest version. If that doesn't cure it, try making client certificate signed by the CA and not server certificate.
I had 2.1.3 running a week ago, but it didn't work also. But I wasn't sure about the configs. Unfortunately the documentation is bad. Any hints? Someone on this list recommended me to upgrade to 1.1.7 to make it work (wasn't it you? :-) ), but it doesn't work. The certs shouldn't be the problem. On the clients I have a client cert with right extended-usage and the server has a server-cert with the right attributes. In XP the certmgr says it's for Clientauthentification. They worked with SP2. But I also tried to install a server-cert with client-extended-usage, also no success. I'am a bit worried about the registry-errors in the logs I've posted. I can't believe that I'am the first one who tried to authenticate an XP SP3 machine with EAP-TLS to Freeradius. I mean, XP has a market-domincnce of >95% and this problem should also occur if you authenticate via WLAN. So there must be a solution and I'am doing something terrebly wrong. I'd like to hear from at least one person that it works. At the moment I believe XP SP3 is incompatible to Freeradius. Thanks Alex
The certs shouldn't be the problem. On the clients I have a client cert with right extended-usage and the server has a server-cert with the right attributes. In XP the certmgr says it's for Clientauthentification. They worked with SP2. But I also tried to install a server-cert with client-extended-usage, also no success. I'am a bit worried about the registry-errors in the logs I've posted.
It looks like SP3 will not allow server certificate to be used as intermediate CA.
I can't believe that I'am the first one who tried to authenticate an XP SP3 machine with EAP-TLS to Freeradius. I mean, XP has a market-domincnce of >95% and this problem should also occur if you authenticate via WLAN. So there must be a solution and I'am doing something terrebly wrong.
Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added "make caclient.pem" to produce client certificates and "cleanca" to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well. Ivan Kalik Kalik Informatika ISP
I'd like to hear from at least one person that it works. At the moment I believe XP SP3 is incompatible to Freeradius.
Thanks Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan,
Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added "make caclient.pem" to produce client certificates and "cleanca" to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well.
Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). The CA is of course imported into the trusted authorities branch. The CN ist the Computername (because I'am doing a machine-based auth). The certmgr in XP says it's a valid and trusted cert. That's how it worked in SP2. I compared your example-cert with my cert and I can't see a significant difference. Look here for my client-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 127 (0x7f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Jan 16 14:24:44 2009 GMT Not After : Jan 15 14:24:44 2014 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=HFS-PA-140109-2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): 00:a8:74:46:34:9e:7d:1d:45:71:0d:35:d8:48:ea: [...] 39:72:cf:d8:e5:c8:6c:2e:7f:95:1d:6b:cb:49:78: 6f:94:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: DA:29:47:A5:D0:34:CC:D1:94:86:98:A4:65:68:C5:1D:F7:9C:E8:D5 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: DNS:HFS-PA-140109-2 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 10:c4:7c:60:3f:d2:44:de:8b:79:01:d9:ce:3d:0e:af:59:c9: [...] f7:80:cc:0f:42:db:b3:fd Don't know what to do. Have you tried a machine-based EAP-TLS with SP3? TIA Alex
Alexandros Gougousoudis a écrit :
Hi Ivan,
Try signing client certificates with the ca certificate. I have included modified Makefile for 2.1.3. I have added "make caclient.pem" to produce client certificates and "cleanca" to remove them. Try importing caclient.p12 created this way onto the user machine (along with ca.der) and see if they will work with SP3. They should work with SP2 as well.
Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). I had an issue once when using client certs generated with TinyCA, this was due to the fact that, by default, TinyCA includes the emailAddress in the DN subject.
Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de
Your CA cert's DN includes the emailAddress, though this was not exactly the issue I had (mine was related to the client certs), I would recommend not adding this emailAddress to the DN and test again. HTH, Thibault
Hi Thiebault, you saved me. AGAIN! :-) That was the clue, not including the Email in the DN, just saying no in TinyCA was the first step to the solution. XP SP3 took then the cert for auth. @Ivan: Thanks for your reply, but it's not an TinyCA issue. Second step was, that 2000/XP <= SP2 converted the Computername to lowercase (mine are uppercase), so I had all entries in the users file in lowercase. SP3 sends the computername in uppercase (also in the client-cert). So after your hint I got Mon Jan 26 13:29:11 2009 : Auth: Login incorrect: [host/HFS-PA-140109-1] (from client hfs-schneller port 24) showing that XP accepted the cert. After changing the hostname to uppercase in the usersfile i got: Mon Jan 26 13:49:20 2009 : Auth: Login OK: [host/HFS-PA-140109-1] (from client hfs-schneller port 24) And of course don't forget to assign the right profile XML to the LAN Adapter for machinebased auth.
Your CA cert's DN includes the emailAddress, though this was not exactly the issue I had (mine was related to the client certs), I would recommend not adding this emailAddress to the DN and test again.
Thanks! cu Alex (who hates Microsoft for changing important things silently)
Hi, just to give an update on my efforts to make XP SP3 work with EAP-TLS. Machine based EAP-TLS authentification works for WIRED connections fine, as I wrote in the last mail. BUT that doesn't mean that it works for wireless connections. :-) Before SP3 there wasn't a problem with that, with this alphaversion of service pack, it's not working. First of all, the things you need to do with the network-adapters profiles, using the netsh command aren't working in XP with wlan profiles, simply because the netsh command doesn't know "netsh wlan ..." (you get an error), Vista knows that context, XP SP3 not. So there is a Freeware utility zwlancfg here http://www.engl.co.uk/products/zwlancfg/index.html Get that and you can export and import the wlan profiles. But setting the authentification to <authMode>machine</authMode> as with wired connections, won't work. You always get a "no certificate found" error (the cert which is ok for wired connections!) and no connection. If the tool zwlancfg is setting up the connection manually, you get an "illegal authmode" error. So you need to have setup the connection to an machineOrUser authmode. It seems there is no machine authmode in XP SP3 anymore. As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx "This element is optional. When authMode is not specified in a profile, a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless LAN API for Windows XP with SP2: *This element will be ignored if it is present in a profile" But stop! It's not that easy. :-) Because it's Microsoft, it always works a little, but never 100%. If no user is logged in (= Loginscreen), the connection is established (seen in the Radius log). If a user logs in, the connection is dropped and you get a "no cert" error. If the machine cert is included in the users context, using the cert-mgr, the connection is again established. So I have to install the machine cert for each user, which will login into the computer. And, hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, despite the MS information? It's definately not an Freeradius problem, but most people will look here to solve the problem. After a lot of googleing I found, that I must be the only one with that combination and problems. So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista! I'll post my solution here either. If someone likes to give me a hint, I'll be happy. cu Alex
Alexandros Gougousoudis wrote:
Hi,
just to give an update on my efforts to make XP SP3 work with EAP-TLS.
Machine based EAP-TLS authentification works for WIRED connections fine, as I wrote in the last mail. BUT that doesn't mean that it works for wireless connections. :-) Before SP3 there wasn't a problem with that, with this alphaversion of service pack, it's not working.
First of all, the things you need to do with the network-adapters profiles, using the netsh command aren't working in XP with wlan profiles, simply because the netsh command doesn't know "netsh wlan ..." (you get an error), Vista knows that context, XP SP3 not. So there is a Freeware utility zwlancfg here http://www.engl.co.uk/products/zwlancfg/index.html
Get that and you can export and import the wlan profiles. But setting the authentification to
<authMode>machine</authMode>
as with wired connections, won't work. You always get a "no certificate found" error (the cert which is ok for wired connections!) and no connection. If the tool zwlancfg is setting up the connection manually, you get an "illegal authmode" error. So you need to have setup the connection to an machineOrUser authmode. It seems there is no machine authmode in XP SP3 anymore.
As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx
"This element is optional. When authMode is not specified in a profile, a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless LAN API for Windows XP with SP2: *This element will be ignored if it is present in a profile"
But stop! It's not that easy. :-) Because it's Microsoft, it always works a little, but never 100%. If no user is logged in (= Loginscreen), the connection is established (seen in the Radius log). If a user logs in, the connection is dropped and you get a "no cert" error. If the machine cert is included in the users context, using the cert-mgr, the connection is again established. So I have to install the machine cert for each user, which will login into the computer. And, hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, despite the MS information?
It's definately not an Freeradius problem, but most people will look here to solve the problem. After a lot of googleing I found, that I must be the only one with that combination and problems.
So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista!
I'll post my solution here either. If someone likes to give me a hint, I'll be happy.
cu Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I have been seeing the SAME thing, in a way, from my one XP home client (My laptop came with Vista, and I didn't care to move off it) and one day the WLAN connected into my Wireless network, next day it didn't. I suspected it was XP SP 3 but didn't dig too much into it, as wired worked. I tested the setup last night, and in short what I was seeing from my Radius (In debug mode: radiusd -X) was that the EAP-TLS was established, the user name was passed (but didn't match the proper realm, so that was discarded) and radius sent back a radius-challenge to my WAP, and then onto the client, and nothing ever came back. a few minutes later, I would get a Radius access request and repeat it, over and over and over. I get prompted for the proper certs, and so forth after tinkering with it for a little bit, but it still hasn't' connected. Frustrating problem that I haven't seen a solution to yet, which is similar to this problem, though slightly different.
~Seann
Thanks for your reply, but that is already what I do. I have created a CA in TinyCA and the server has a signed server-cert and each client has a signed client-cert (both with the XP specific usage attributes). The CA is of course imported into the trusted authorities branch. The CN ist the Computername (because I'am doing a machine-based auth). The certmgr in XP says it's a valid and trusted cert. That's how it worked in SP2.
I compared your example-cert with my cert and I can't see a significant difference.
You have to take it up with TinyCA people: "Development State: The current state is beta. So use at your own risk and please don't hesitate to report bugs... sm@sm-zone.net " We can help you with certificates generated by freeradius routines. Ivan Kalik Kalik Informatika ISP
participants (4)
-
Alexandros Gougousoudis -
Seann Clark -
Thibault Le Meur -
tnt@kalik.net