What kind of error in client-cert using EAP?
Hi, I have trouble with one XP-SP2 client, using a certificate to make 802.1x Auth over EAP-TLS. The cert is a machine cert. On the serverside I get this (using -X -A) in authenticate: modcall: entering group authenticate for request 33 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 33 modcall: leaving group authenticate (returns handled) for request 33 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0125040a0dc00000100e1[...] Which indicates that there is a problem in the client-cert. Can it be more detailed? I exported the cert and the key now 4 times in different manners (as p12, as der) and the errors is still there. Extended attribute is also included. The funny thing is, that I already have 5 XP machines running in my network, doing an EAP-TLS auth over the switch. It means also that in my authorize section (Auth-Type := EAP) I can get a Access-Accept Message. On the server I get the Access-Requests, create a Access-Challenge and thats all. Theres nothing coming back from the client. Please help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
TLS_accept:error in SSLv3 read client certificate A
...
Which indicates that there is a problem in the client-cert.
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem. For PEAP and TTLS, there *is* no client cert.
It means also that in my authorize section (Auth-Type := EAP)
Can you explain why you're doing this? All of the server documentation, and many posts on this list say it's wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
We've got the same error here... but it's not terminal we use eap+tls (wpa-enterprise). server has certificate, but (as alan mentioned) there is no client certificate it's also not needed. so you can ignore the error if you use eap+tls (peap - mschapv2 + user/pass) i did use Auth-Type := eap , and it does work with our server so, dunno why you have to leave this out. my guesses is that you have an other problem.... can you be more explicit what the trouble is... Cheers Collen. Alan DeKok wrote:
Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
TLS_accept:error in SSLv3 read client certificate A
...
Which indicates that there is a problem in the client-cert.
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem.
For PEAP and TTLS, there *is* no client cert.
It means also that in my authorize section (Auth-Type := EAP)
Can you explain why you're doing this? All of the server documentation, and many posts on this list say it's wrong.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We've got the same error here... but it's not terminal
But I don't get this error on a conversation which leads to an Access-Accept. I think because you're doing a username/password login for your Wireless-Clients, you need to use as written PEAP and MSCHAPV2. Usernames and passwords have for us no meaning, because we use Radius to protect our Ethernet-Ports, so that only approved (by us) computers can be connected. I don't care about the user logging into that PC. Thats why I don't need a passphrase.
it's also not needed. so you can ignore the error if you use eap+tls (peap - mschapv2 + user/pass)
i did use Auth-Type := eap , and it does work with our server so, dunno why you have to leave this out.
The server creates over and over again an access-challenge in the authorize section. Unfortunately I'am ill and not at work today and tomorrow . I'll post a log from a W2K client connecting wihtout problems and one with problems. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Collen Blijenberg <collen@mail.hermanjordan.nl> wrote:
we use eap+tls (wpa-enterprise). server has certificate, but (as alan mentioned) there is no client certificate it's also not needed. so you can ignore the error if you use eap+tls (peap - mschapv2 + user/pass)
Please be careful with terminology. EAP-TLS is an EAP type that requires client certificates. PEAP (not 'eap+tls') is a different EAP type.
i did use Auth-Type := eap , and it does work with our server so, dunno why you have to leave this out. my guesses is that you have an other problem.... can you be more explicit what the trouble is...
Please see the comments in eap.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello Alan, Alan DeKok schrieb:
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem.
Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks. Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it. On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the "trusted certification centers" tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs. The APs are Linksys Switches and they do what they should.
For PEAP and TTLS, there *is* no client cert.
I use EAP-TLS for machine-authentication (In Windows the "Smartcard or Certificate" Authentification).
It means also that in my authorize section (Auth-Type := EAP) Can you explain why you're doing this? All of the server documentation, and many posts on this list say it's wrong.
Because if I do only a machine-authentication, every machine which has a valid cert can connect to the network. If I write the explicit hostname in the users file, I have more control over the single clients connecting. If they are not in the list, they're not allowed to connect, regardless if they have a valid cert or not. I think it could be done more elegant using crls, but I'am not yet at this point. I try to understand why one PC can connect and the other one can not, although I did the same procedure. Thanks for your help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hello Alan,
Alan DeKok schrieb:
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem.
Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks.
Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it.
I have a similar configuration working (EAP-TLS for XP and TinyCA generated certs). I found out that the way certificates are created is important. Can you check the following procedure (something I have already posted this to you in this list, sorry for reposting it ;-) ). --------------------------------------------- * Create a certificate per host: - cn must contain the Netbios name of the PC - the extension SubjectAltName must contain the Netbios name of the PC (I think) - The field Extended Key Usage must contain the option 'TLS Web Client Authentication' (OID 1.3.6.1.5.5.7.3.2) - Note that the Radius server's certificate must contain the 1.3.6.1.5.5.7.3.1 extension - The certificate can be exported into a PKCS12 file .p12 (this includes the private key). The certificate MUST be installed in the HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the private folder import the .p12 file and in the Trusted Root CA the CA certificate). -------------------------------- Can you check the Netbios names and CN correspondance ? I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ?
On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the "trusted certification centers" tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs.
This is ok, but are the certificates _exactly_ generated in the same way ? Can you post 2 certificates: one which is working, another the is not ? Could you also check the certs validity date and System Time of your hosts ? HTH, Thibault
I don't know if my chiming in will make a difference or not. But windows can authenticate with a machine certificate or a user certificate.... If you're doing the machine certificates, please say so, I'm a little confused as to what exactly you are doing now. -Bob Thibault Le Meur wrote:
Hello Alan,
Alan DeKok schrieb:
No. It means that there is NO client cert. The authentication process continues, so it's obviously not a catastrophic problem.
Is it simply not sent, or somehow not available? Because I know for sure that there is a cert on the client. And I did nothing else, than on the other machines where it works since 2 weeks.
Just to make it explicit: I create a user-cert in TinyCA2(linux). I export the cert as a p12 and include the key and the CA into that p12 container. I also disable the passphrase. I put that file on the network where the client can find it.
I have a similar configuration working (EAP-TLS for XP and TinyCA generated certs). I found out that the way certificates are created is important. Can you check the following procedure (something I have already posted this to you in this list, sorry for reposting it ;-) ).
--------------------------------------------- * Create a certificate per host: - cn must contain the Netbios name of the PC - the extension SubjectAltName must contain the Netbios name of the PC (I think) - The field Extended Key Usage must contain the option 'TLS Web Client Authentication' (OID 1.3.6.1.5.5.7.3.2) - Note that the Radius server's certificate must contain the 1.3.6.1.5.5.7.3.1 extension - The certificate can be exported into a PKCS12 file .p12 (this includes the private key). The certificate MUST be installed in the HOST CERTIFICATE STORE (simply double clic the file will NOT work): Run 'mmc' and Add the Snap-in 'Certificate>Local Computer', then in the private folder import the .p12 file and in the Trusted Root CA the CA certificate). --------------------------------
Can you check the Netbios names and CN correspondance ?
I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ?
On the client I open the MMC as local admin and include the Snap-In Certificates for Local-Computers. Then I import the created cert into My-Certificates and copy the CA-Cert into the "trusted certification centers" tree (it's in german). It worked for another 2 W2K PCs and for four XP-Pro-SP2 PCs.
This is ok, but are the certificates _exactly_ generated in the same way ?
Can you post 2 certificates: one which is working, another the is not ?
Could you also check the certs validity date and System Time of your hosts ?
HTH, Thibault
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't know if my chiming in will make a difference or not.
But windows can authenticate with a machine certificate or a user certificate....
If you're doing the machine certificates, please say so, I'm a little confused as to what exactly you are doing now.
I don't now if you're asking this to me or to Alexandros. The setup I propose corresponds to a machine authentication (Windows XP authenticates automatically at startup time) and not to a user authentication. The complete setup is explained in this previous post http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg28499.h... I thought this was Alexandros's case as well as he wrote: "I do only a machine-authentication, every machine which has a valid cert can connect to the network... I write the explicit hostname in the users file" Alexandros do you confirm that you are not trying to authenticate the user, but only the host at boot time ? Thibault
Hi, Thibault Le Meur schrieb:
Alexandros do you confirm that you are not trying to authenticate the user, but only the host at boot time ?
Exactly. The hosts need to be authentified, we simply do that to protect the Ethernetports of the switch. Our students plug in their equipment otherwise (like an WLAN-AP) and danger our net. cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi, it works now. Thanks Thibault, you saved my day, again! :-)
- the extension SubjectAltName must contain the Netbios name of the PC (I think)
This had no meaning in my tests. Anyway, there must be chosen a type of that field. Did you take DNS-Name, Email or Raw? I took now DNS-Name, but in another case there was an email in that field and the systems authetifies without problems. So I think you can leave this field out.
I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ?
Yupp, this was the mistake. It is somehome on by default. I switched it off and created new certs as you wrote and the XP Machine works now too. Hell, I gonna print your mail and hang it in front of me.
This is ok, but are the certificates _exactly_ generated in the same way ?
Obiously not. As I made the same mistake over and over again. I have now only the problem of one W2K Machine, not even asking the Radius-Server. I assume it's some kind of inkompatibilty of drivers or NIC. Thanks for your help: Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif cu Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi,
it works now. Thanks Thibault, you saved my day, again! :-)
You're welcome
- the extension SubjectAltName must contain the Netbios name of the PC (I think)
This had no meaning in my tests. Anyway, there must be chosen a type of that field. Did you take DNS-Name, Email or Raw?
I use DNS-Name
I took now DNS-Name, but in another case there was an email in that field and the systems authetifies without problems. So I think you can leave this field out.
Ok.
I've seen that you integrate the emailaddress in the subject (an option in TinyCA): can you disable this ?
Yupp, this was the mistake. It is somehome on by default. I switched it off and created new certs as you wrote and the XP Machine works now too. Hell, I gonna print your mail and hang it in front of me.
The problem is that Microsoft doesn't describe exactly how certificates must be generated in order to have host authentication nor how the EAP request is made (using host/Netbios-name as the identity). This is because (I presume), they want us to use IAS and their certificate management software.
This is ok, but are the certificates _exactly_ generated in the same way ?
Obiously not. As I made the same mistake over and over again. I have now only the problem of one W2K Machine, not even asking the Radius-Server.
I'm not sure this will be an issue on the radius server.
I assume it's some kind of inkompatibilty of drivers or NIC.
I don't think so. I think it's Windows XP that doesn't recognize the host certificate as a valid one because its "subject" doesn't match exactly the netbios name of the host.
Thanks for your help:
Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif
Thanks, could you send me a fridge as well to keep them fresh... It's hot in my office today ;-). Thibault.
participants (5)
-
Alan DeKok -
Alexandros Gougousoudis -
Collen Blijenberg -
Robert Myers -
Thibault Le Meur