RADIUS wifi not working on Windows with domain users
Hello all, I've a problem in a school with computers connected to the school domain (I'm using samba). For private computers, there's no worry ; they are asked to enter a username/password to connect to the wifi and this works fine. But for laptops belonging to the domain, when I try to connect, no username/password is requested and the connection just fail. It seems this is a windows problem but I wonder If I can don something from the freeradius side ... thanks to all for your help -- Meilleures salutations – Freundliche Grüsse – Best regards MW*PROGRAMMATION*SA *Arnaud Forster* /Ingénieur systèmes// //Rue Charles Schäublin 2/ /CH-2735 Malleray/ /phone: +41 (0)32 491 65 30/ /fax: +41 (0)32 491 65 35/ /web: www.mwprog.ch <http://www.mwprog.ch/>/ /kb: kb.mwprog.ch <http://kb.mwprog.ch/>/
On Apr 9, 2018, at 9:32 AM, Forster Arnaud <arnaud.forster@mwprog.ch> wrote:
I've a problem in a school with computers connected to the school domain (I'm using samba). For private computers, there's no worry ; they are asked to enter a username/password to connect to the wifi and this works fine. But for laptops belonging to the domain, when I try to connect, no username/password is requested and the connection just fail.
The laptops have a machine account which is created in AD, and provisioned by AD to the laptops. They should be using this to connect to WiFi.
It seems this is a windows problem but I wonder If I can don something from the freeradius side ...
Read the debug output to see what happens when the laptop connects. Alan DeKok.
Hello Alan, Thanks for your answer. So I checked the log and the only thing I've when a computer belonging to the domain tries to connect is the following : Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read) So I tried to install the ca.der key on the windows client system but the error remains Thanks for your help Arnaud Le 09.04.2018 à 16:23, Alan DeKok a écrit :
On Apr 9, 2018, at 9:32 AM, Forster Arnaud <arnaud.forster@mwprog.ch> wrote:
I've a problem in a school with computers connected to the school domain (I'm using samba). For private computers, there's no worry ; they are asked to enter a username/password to connect to the wifi and this works fine. But for laptops belonging to the domain, when I try to connect, no username/password is requested and the connection just fail. The laptops have a machine account which is created in AD, and provisioned by AD to the laptops. They should be using this to connect to WiFi.
It seems this is a windows problem but I wonder If I can don something from the freeradius side ... Read the debug output to see what happens when the laptop connects.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 10, 2018, at 2:34 PM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've when a computer belonging to the domain tries to connect is the following :
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains
Client doesn't know/trust the CA that signed your server certificate. -Arran
Yes but only for computer which are registered to the samba domains. For other ones there's no problem Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit :
On Apr 10, 2018, at 2:34 PM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've when a computer belonging to the domain tries to connect is the following :
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains Client doesn't know/trust the CA that signed your server certificate.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Yes but only for computer which are registered to the samba domains. For other ones there's no problem
With no problem, do you mean: - there's a box coming up on the first time, and the user can click "Connect", and then things work or - you are provisioning all the non-AD client devices with the needed CA and server name details, and they can connect automatically If the former, this in not "no problem" but a gaping security hole. If the latter: good job on the BYOD clients. Now, for the AD-joined machines, you probably you need to install the CA via GPOs and mark it as trusted for the *Wi-Fi* login use case. Just being in the generic CA trust store is *not* enough. Greetings, Stefan Winter
Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit :
On Apr 10, 2018, at 2:34 PM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've when a computer belonging to the domain tries to connect is the following :
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains Client doesn't know/trust the CA that signed your server certificate.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello Stefan and thanks for your help :) with no problem, means that a box in coming and I've to enter a username/password from my domain users. Once this is made, my username/password are stored and they are not requested anymore. In this case I didn't install any certificate of my computer. For computers registered into the domain, they are several cases : With windows 10 , I can connect if I do that before entering my username/password to start my session. Once my session started, I can't connect anymore. For Windows 7, as I can't connect before entering in a session, I tested 2 different situations : 1 with a local account and 1 with a domain account. In both cases I can't connect to my wifi and the certificate error is coming. My domain is a samba domain so I don't think (but not sure) I can use GPOs for this .. Thanks very much for your help Arnaud Le 10.04.2018 à 11:04, Stefan Winter a écrit :
Hi,
Yes but only for computer which are registered to the samba domains. For other ones there's no problem With no problem, do you mean:
- there's a box coming up on the first time, and the user can click "Connect", and then things work
or
- you are provisioning all the non-AD client devices with the needed CA and server name details, and they can connect automatically
If the former, this in not "no problem" but a gaping security hole.
If the latter: good job on the BYOD clients. Now, for the AD-joined machines, you probably you need to install the CA via GPOs and mark it as trusted for the *Wi-Fi* login use case. Just being in the generic CA trust store is *not* enough.
Greetings,
Stefan Winter
On Apr 10, 2018, at 2:34 PM, Arnaud Forster <arnaud.forster@mwprog.ch> wrote:
Hello Alan,
Thanks for your answer. So I checked the log and the only thing I've when a computer belonging to the domain tries to connect is the following :
Tue Apr 10 10:31:14 2018 : Info: rlm_ldap (ldap): Opening additional connection (24), 1 of 29 pending slots used Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS Alert read:fatal:unknown CA Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: TLS_accept: Failed in SSLv3 read client key exchange A Tue Apr 10 10:31:15 2018 : ERROR: (37) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
So I tried to install the ca.der key on the windows client system but the error remains Client doesn't know/trust the CA that signed your server certificate.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le 10.04.2018 à 10:36, Arran Cudbard-Bell a écrit : - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
with no problem, means that a box in coming and I've to enter a username/password from my domain users. Once this is made, my username/password are stored and they are not requested anymore. In this case I didn't install any certificate of my computer.
That's what I meant with "gaping security hole". An attacker can simply set up a Wi-Fi network with the same SSID and arbitrary RADIUS server, and your computer will happily send your username and password to that rogue attacker when in the vicinity. In order to achieve security, a client device MUST verify the server-side certificate. And that means installing the CA, mark it as the CA to trust for this particular Wi-Fi network, and pinning the expected server name. I.e. your perception of you not having a problem is wrong. There are tools that allow you to specify your deployment details and get an installer that does the right settings out of it. One example is https://802.1x-config.org
For computers registered into the domain, they are several cases :
With windows 10 , I can connect if I do that before entering my username/password to start my session. Once my session started, I can't connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested 2 different situations : 1 with a local account and 1 with a domain account. In both cases I can't connect to my wifi and the certificate error is coming.
My domain is a samba domain so I don't think (but not sure) I can use GPOs for this ..
If it's a Samba 4 AD server, you should be able to. If it's a Samba 3 "NT-Domain" style server, then no. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Oooh I see now, thanks for the informations, I'll have a deeper look into this ;) My Samba AD is NT-domain style .. :( Thanks very much for your help :) Arnaud Le 10.04.2018 à 11:27, Stefan Winter a écrit :
Hello,
with no problem, means that a box in coming and I've to enter a username/password from my domain users. Once this is made, my username/password are stored and they are not requested anymore. In this case I didn't install any certificate of my computer. That's what I meant with "gaping security hole". An attacker can simply set up a Wi-Fi network with the same SSID and arbitrary RADIUS server, and your computer will happily send your username and password to that rogue attacker when in the vicinity.
In order to achieve security, a client device MUST verify the server-side certificate. And that means installing the CA, mark it as the CA to trust for this particular Wi-Fi network, and pinning the expected server name.
I.e. your perception of you not having a problem is wrong.
There are tools that allow you to specify your deployment details and get an installer that does the right settings out of it. One example is https://802.1x-config.org
For computers registered into the domain, they are several cases :
With windows 10 , I can connect if I do that before entering my username/password to start my session. Once my session started, I can't connect anymore.
For Windows 7, as I can't connect before entering in a session, I tested 2 different situations : 1 with a local account and 1 with a domain account. In both cases I can't connect to my wifi and the certificate error is coming.
My domain is a samba domain so I don't think (but not sure) I can use GPOs for this .. If it's a Samba 4 AD server, you should be able to. If it's a Samba 3 "NT-Domain" style server, then no.
Greetings,
Stefan Winter
On Apr 10, 2018, at 5:27 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
That's what I meant with "gaping security hole". An attacker can simply set up a Wi-Fi network with the same SSID and arbitrary RADIUS server, and your computer will happily send your username and password to that rogue attacker when in the vicinity.
The hope is that most new devices will do certificate pinning. After the first authentication, they cache the CA. And if the CA changes, they complain and refuse to authenticate. Alan DeKok.
participants (5)
-
Alan DeKok -
Arnaud Forster -
Arran Cudbard-Bell -
Forster Arnaud -
Stefan Winter