1 client unable to authenticate via EAP-TLS
Hello, I have one client that is having a problem authenticating via wireless EAP-TLS. The client is a Windows XP SP2 computer using a an internal Dell wireless card. The client associates with the access point-a Cisco Aironet 1130-but is continually reports an "attempting to authenticate" message. After, performing a "radiusd -X", I do not see any EAP-start messages; I see the following: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation I continually see these messages for this particular client and subsequently do not see Freeradius process the certificate. Any clues on what may be going on. I am using version 1.1.0. Is any more info needed that I can provide? Below is the log of the EAP conversation: Thank you. ______________________________________________________________________________________________________________________________________________________________________ Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.249:32768, id=226, length=175 User-Name = "vallent.com" Calling-Station-Id = "00-90-96-AF-7D-D4" Called-Station-Id = "00-15-2C-49-D6-40:2xe1zpK0" NAS-Port = 4 NAS-IP-Address = 192.168.200.249 NAS-Identifier = "bvwlc01" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x025200060d00 State = 0xed546982f4966349530000881730f5c2 Message-Authenticator = 0x2d0b467fefd65f09ef445907438841a0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 modcall[authorize]: module "chap" returns noop for request 14 modcall[authorize]: module "mschap" returns noop for request 14 rlm_realm: No '@' in User-Name = "vallent.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 14 rlm_eap: EAP packet type response id 82 length 6
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
modcall[authorize]: module "eap" returns updated for request 14 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 226 to 192.168.200.249 port 32768 EAP-Message = 0x0153040a0dc0000008bd79fa9a8201851f5f94cd707d99f056471b3463d26d105fd500040830820404308202eca003020102020900b257df81a5c93eb0300d06092a864886f70d0101050500308182310b3009060355040613025553311330110603550408130a57617368696e67746f6e311c301a060355040a131356616c6c656e7420436f72706f726174696f6e3121301f06035504031318636572742e62762e616d65722e76616c6c656e742e636f6d311d301b06092a864886f70d010901160e69744076616c6c656e742e636f6d301e170d3036303132363139333733365a170d3039303132353139333733365a308182310b30090603550406 EAP-Message = 0x13025553311330110603550408130a57617368696e67746f6e311c301a060355040a131356616c6c656e7420436f72706f726174696f6e3121301f06035504031318636572742e62762e616d65722e76616c6c656e742e636f6d311d301b06092a864886f70d010901160e69744076616c6c656e742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e11a94e572aaf07801e8ed2702e2f5cf02a30420b854889d760ba754643aee948ed331fbe5a2a24af3a28bba69c8b6d85761972db0be17dff91e4228d19446e932837768eea8bdb65cc712932ff5b5eecc13f763db7d984b925eb47b7c0094db3ac765 EAP-Message = 0x8e38c4bd7d729957fe0c42343aa678872e499c04db70cbdc528f48f0ca93921e434ea7ac11a9a4fd857ba8507589063cc311370fcd6477e3bd4fadb89e842a64d10bf2d1f9deadbf8b8d79a05821712ba49b0478c4c96d55a43031f9951a1def7e12541f1352d36654c06864a540ebafaf21a7744e53f02f78a6c82ff2d7676afea5c576b231829851f10dd1c477677cdaebc7d7f0bb4e170f16d9d7130203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604149070be5fdb372c09f54ecbabfecc4cdc979783 EAP-Message = 0x6d301f0603551d230418301680149070be5fdb372c09f54ecbabfecc4cdc9797836d300d06092a864886f70d010105050003820101000e3e63fd403f29af1912cf95540307a47087bba7cdee6a0657ba7a1f28fd148d93d081abda825b858d9d1351e33dca9b4d8d8f1941995e20173fe22def775aceabd13101ffb42eca6a6497c41e6985d78740173fe1ba1f76db32677053ffa87891213b7df0c2a9d339d61e2595d7658d1e1c3f8a0438a2f91f2cd9060a4b027da0cc75443be746fca0605a37155c84b9e1bff1f84b2f41328aba6b03e55d922a49f70df090d240b1a398fc8dd74aa2450661fbf3cb0d1986863cf41cd0f84366e52251a55a9f70 EAP-Message = 0x0d6b2a92d2b3579d7dfa7601e92a703d17d20f6b0bdf Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf82a664f4f7328b73ffccc1f1773d09c Finished request 14 Going to the next request E
"Terry Zarelli" <terry.zarelli@gmail.com> wrote:
I have one client that is having a problem authenticating via wireless EAP-TLS. The client is a Windows XP SP2 computer using a an internal Dell wireless card. The client associates with the access point-a Cisco Aironet 1130-but is continually reports an "attempting to authenticate" message. After, performing a "radiusd -X", I do not see any EAP-start messages; I see the following:
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
That isn't the problem. The problem is most likely that the certificates don't have the magic Microsoft OID's in them. Odds are your other systems that can authenticate aren't Windows, and therefore don't care about Microsoft nonsense. Alan DeKok.
Hi, first i wanna say thanks to all here fort he great helping setting up my radius as an part of my work at my Engineers-Exam work. Yesterday I finished my work and found my 2 Mistakes why computer authentication didnt wor properly at my network and now I wanna share this for you all here,knowing some of you are having still the same problems: First only the problem with machine authentication and after I passed my exams at 15.Juli I will post here an link to my whole Dokumentation describing how to set up my whole project including the following: An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates. What you hav e to do if you create it with TinyCA to get working Certifikates for machine Authentication in a short sequenze and where are the problems I figured out. OK setting up TinyCA is easy and the binding to freeradius is describeld here a lot. The final Steps are the following especially for Windows: Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 at the ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into Client Certifikate Extended Key Usage. This is basically and essential for successful authentication but not all. For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST!!!! Be filled in the full qualified Computer name like workstatio1.exampledomain.de This entry is important for machine authentication because Windows XP searches for the field subjectAltName to find the certificate in the computer store. If this issent present authentication failes first time and after the internal counter of xp expire the second autjentication is successful(why??) But ok, add this and all is fine. In the openssl.cnf of TinnyCA you can see that the Email field is copied to the field subjectAltName. I will write a letter to the developer of TinnyCA if he could make a separate field for this.... Export the certificate as PKS12 an check include certificate and fingerprint (if fingerprint is important I will figure out later and tell you,havent found time checking this) but the Key must be included. And the last thing is that you have to import the computercertifikate not per doubleclick (In this case the certificated is stored at the CurrentUser Store and you have to copy it over mmc to the computer store, but this doesnt work, the certificate isnt correctly found if you do this that way!!!!!) Best ist to open mmc,doing a snap in of LocalComputer and the go to "Eigene Certifikate, right click onto it,All Tasks,import" then import the certificate and now you have the ca.certifikate and your computer certificate in the Store, now you have finaly to move the ca Certifikate into the root CertifikateStore under your ComputerAccountStore. Thats all at the mmc. Then go to the preferences of your network connection, Authentifikation tab, EAP-Tpye Propperties and at the list you have to check "Check Servercertifikate" uncheck Connect to this Server(this is optional) and at the list check your CA. If you also have a User Certifikate installed you will find there your CA 2 times. It is not important which you select, one should be enough. Finaly I can say what was here discussed you dont have to set another OID which is discussed here at one thread and you only have to change your registry if you have special requiremens to the authentication behaviors. The Basic setting of registry seams to be enough. I added the SupplicantMode DWORD with a value of 3 but this only seams to get start authentication faster than without but is not essential for basic setup. OK this is only an small dirty description for the first time, a better one will follow soon. But I thought many of you struggling over this and it would be good posting this fast. Sorry for typing mistakes, may someone will correct this :-) @Alan: Is their an interest posting my doku to the wiki, I can send the final document to you! Greetings and good luck Armin
On Sat, May 20, 2006 at 09:01:29AM +0200, Kr?mer Armin wrote: hi armin i am trying to configure eap-tls windows machine authentication, i am using openssl to create certificates, i have created the servers certificates with OID 1.3.6.1.5.5.7.3.1, and client certificates with OID 1.3.6.1.5.5.7.3.2 extensions i am "trying" to follow the real important things:
For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST!!!! Be filled in the full qualified Computer name like workstatio1.exampledomain.de
please will you send me certificate extensions running openssl x509 -in valid_certificate -text -noout -fingerprint -sha1 thanks in advance alfonso
Hi,
first i wanna say thanks to all here fort he great helping setting up my radius as an part of my work at my Engineers-Exam work.
Yesterday I finished my work and found my 2 Mistakes why computer authentication didnt wor properly at my network and now I wanna share this for you all here,knowing some of you are having still the same problems:
First only the problem with machine authentication and after I passed my exams at 15.Juli I will post here an link to my whole Dokumentation describing how to set up my whole project including the following:
An CA created with TinnyCA as frontend for openssl, freeradius @debian stable with EAP-TLS Support, LDAP-Backend for Dynamik VLAN Assignment Rules, VLAN Routing @ an Layer 3 Core Switch and finaly Clients 200,X?,Linux duing firstly an Machine Authentication(*tricky but possible*) pulled into and basically VLAN with the DHCP,DNS and ADS Servers in an separate Subnet and VLAN, then Users can log onto the domain, getting their final User-Certifikate, thrown into their final working vlan and getting the final Subnet from the DHCP. This workes now great put firstly only the main problem, the machine certificates.
What you hav e to do if you create it with TinyCA to get working Certifikates for machine Authentication in a short sequenze and where are the problems I figured out.
OK setting up TinyCA is easy and the binding to freeradius is describeld here a lot.
The final Steps are the following especially for Windows:
Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 at the ServerCertifikate into ExtendedKey usage, and the 1.3.6.1.5.5.7.3.2 into Client Certifikate Extended Key Usage.
This is basically and essential for successful authentication but not all.
For machine authentication create an client Certifikate and now the real important things. 1. The CN Name has to match with the local Computer name only or as an full qualified name of the computer,both is possible. 2. The Email field MUST!!!! Be filled in the full qualified Computer name like workstatio1.exampledomain.de
This entry is important for machine authentication because Windows XP searches for the field subjectAltName to find the certificate in the computer store. If this issent present authentication failes first time and after the internal counter of xp expire the second autjentication is successful(why??) But ok, add this and all is fine. In the openssl.cnf of TinnyCA you can see that the Email field is copied to the field subjectAltName. I will write a letter to the developer of TinnyCA if he could make a separate field for this....
Export the certificate as PKS12 an check include certificate and fingerprint (if fingerprint is important I will figure out later and tell you,havent found time checking this) but the Key must be included.
And the last thing is that you have to import the computercertifikate not per doubleclick (In this case the certificated is stored at the CurrentUser Store and you have to copy it over mmc to the computer store, but this doesnt work, the certificate isnt correctly found if you do this that way!!!!!) Best ist to open mmc,doing a snap in of LocalComputer and the go to "Eigene Certifikate, right click onto it,All Tasks,import" then import the certificate and now you have the ca.certifikate and your computer certificate in the Store, now you have finaly to move the ca Certifikate into the root CertifikateStore under your ComputerAccountStore.
Thats all at the mmc.
Then go to the preferences of your network connection, Authentifikation tab, EAP-Tpye Propperties and at the list you have to check "Check Servercertifikate" uncheck Connect to this Server(this is optional) and at the list check your CA. If you also have a User Certifikate installed you will find there your CA 2 times. It is not important which you select, one should be enough.
Finaly I can say what was here discussed you dont have to set another OID which is discussed here at one thread and you only have to change your registry if you have special requiremens to the authentication behaviors. The Basic setting of registry seams to be enough. I added the SupplicantMode DWORD with a value of 3 but this only seams to get start authentication faster than without but is not essential for basic setup.
OK this is only an small dirty description for the first time, a better one will follow soon. But I thought many of you struggling over this and it would be good posting this fast. Sorry for typing mistakes, may someone will correct this :-)
@Alan: Is their an interest posting my doku to the wiki, I can send the final document to you!
Greetings and good luck
Armin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
alfonso.lazaro@eresmas.com -
Krämer Armin -
Terry Zarelli