EAP-TTLS works for MacOS supplicants but not Win10
Hi List, This is my first message so please advise me of any participation gafs. I have a working 801.2x wifi termination with Aruba APs binding Google LDAP users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with MacOS supplicants though. When I start debugging Windows 10 clients, the connection fails somewhere. Comparing debug outputs, the win10 exchange just seems to stop, with no errors thrown, where the mac flow otherwise continues. Pastebin of a successful bind (mac) <https://pastebin.com/wfpDxpMH> Pastebin to a failed bind (win) <https://pastebin.com/BneBgPAN> Although the users for testing are different, there is no explicit Auth-reject to tell me that's the issue. I'd be very grateful for help understanding what's going on! Evan
On Sep 15, 2020, at 4:42 PM, Evan Sharp <evan.sharp@coastmountainacademy.ca> wrote:\
This is my first message so please advise me of any participation gafs.
http://wiki.freeradius.org/list-help
I have a working 801.2x wifi termination with Aruba APs binding Google LDAP users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with MacOS supplicants though. When I start debugging Windows 10 clients, the connection fails somewhere.
Comparing debug outputs, the win10 exchange just seems to stop, with no errors thrown, where the mac flow otherwise continues.
"it just stops". 99% of the time it's a certificate issue. The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Although the users for testing are different, there is no explicit Auth-reject to tell me that's the issue.
Because FreeRADIUS isn't rejecting the user. Instead, the Windows system is refusing to talk to FreeRADIUS. Configure the certificates, etc. on Windows, and it will work. There are EAP-TLS guides on the FreeRADIUS Wiki. They contain information about Windows, and the certificate configuration is largely the same as for EAP-TTLS. Alan DeKok.
Hi Alan, Thanks for the quick reply!
The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Does that cert come pre-configured in MacOS and ChromeOS? These are BYOD computers so I haven't touched them, but all the Mac clients have been plug-and-play. Evan On Tue, Sep 15, 2020 at 2:12 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 15, 2020, at 4:42 PM, Evan Sharp < evan.sharp@coastmountainacademy.ca> wrote:\
This is my first message so please advise me of any participation gafs.
http://wiki.freeradius.org/list-help
I have a working 801.2x wifi termination with Aruba APs binding Google LDAP users via FreeRADIUS 3.0.21 using EAP-TTLS. It is only successful with MacOS supplicants though. When I start debugging Windows 10 clients, the connection fails somewhere.
Comparing debug outputs, the win10 exchange just seems to stop, with no errors thrown, where the mac flow otherwise continues.
"it just stops".
99% of the time it's a certificate issue. The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Although the users for testing are different, there is no explicit Auth-reject to tell me that's the issue.
Because FreeRADIUS isn't rejecting the user. Instead, the Windows system is refusing to talk to FreeRADIUS.
Configure the certificates, etc. on Windows, and it will work. There are EAP-TLS guides on the FreeRADIUS Wiki. They contain information about Windows, and the certificate configuration is largely the same as for EAP-TTLS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 15/09/2020 23:49, Evan Sharp wrote:
The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Does that cert come pre-configured in MacOS and ChromeOS? These are BYOD computers so I haven't touched them, but all the Mac clients have been plug-and-play.
It depends on whatever certificate(s) you configured in raddb/mods-enabled/eap. If it was a commercial CA cert then it's likely Windows already has it installed. If you generated it from your own CA yourself then you'll need to install the CA cert in Windows. Windows is generally a lot more picky about the certificates that it will accept, hence the difference. -- Matthew
On Sep 15, 2020, at 6:49 PM, Evan Sharp <evan.sharp@coastmountainacademy.ca> wrote:
The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Does that cert come pre-configured in MacOS and ChromeOS?
No.
These are BYOD computers so I haven't touched them, but all the Mac clients have been plug-and-play.
Someone poked something. For the last 3-4 years, OSX will *not* allow users to configure TTLS with certificates via the GUI. Instead, it has to be done via a mobileconfig file, or provisioning tool. So if OSX and Chrome "just work", then it's because someone is configuring it. They require some kind of configuration changes before they "just work". Alan DeKok.
Hi Allan, Matthew, et al.
So if OSX and Chrome "just work", then it's because someone is configuring it.
All respect guys, but these are dozens of K-12 student-owned BYODs. They haven't received any configuration and they all work out of the gate as operated by a 12 year old. I don't need to be right, but I don't know enough about what I've configured to understand how it is working; do you have any other ideas? It makes sense to me that Win10 is being finicky about a cert, but since installing one on these student-owned machines is something I want to avoid, I want to get to the bottom of OSX's success in case it's replicable.
"it just stops". 99% of the time it's a certificate issue.
Did you look at the end of my "failed bind" debug? Is that what this looks like for sure? Is there any additional logging I can get besides `-X`? Thanks, Evan On Tue, Sep 15, 2020 at 6:56 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 15, 2020, at 6:49 PM, Evan Sharp < evan.sharp@coastmountainacademy.ca> wrote:
The CA cert used by FreeRADIUS isn't configured on the Windows machine.
Does that cert come pre-configured in MacOS and ChromeOS?
No.
These are BYOD computers so I haven't touched them, but all the Mac clients have been plug-and-play.
Someone poked something.
For the last 3-4 years, OSX will *not* allow users to configure TTLS with certificates via the GUI. Instead, it has to be done via a mobileconfig file, or provisioning tool.
So if OSX and Chrome "just work", then it's because someone is configuring it. They require some kind of configuration changes before they "just work".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 16, 2020, at 6:56 PM, Evan Sharp <evan.sharp@coastmountainacademy.ca> wrote:
Hi Allan, Matthew, et al.
So if OSX and Chrome "just work", then it's because someone is configuring it.
All respect guys, but these are dozens of K-12 student-owned BYODs.
Do they connect to your network using credentials you supply? https://support.google.com/chrome/a/answer/2634553?hl=en • On Chrome OS versions 61–72, certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.
They haven't received any configuration and they all work out of the gate as operated by a 12 year old. I don't need to be right, but I don't know enough about what I've configured to understand how it is working; do you have any other ideas?
So far as I'm aware *all* modern operating systems don't allow the user to configure EAP-TTLS or PEAP. *All* systems refuse to accept even known CAs (i.e. web ones), unless the CA is enabled for EAP. I suspect what's happening is that they Chrome devices are pulling the certificate information from your systems. So someone, somewhere, set it up for your network.
It makes sense to me that Win10 is being finicky about a cert, but since installing one on these student-owned machines is something I want to avoid, I want to get to the bottom of OSX's success in case it's replicable.
"it just stops". 99% of the time it's a certificate issue.
Did you look at the end of my "failed bind" debug?
Yes... that *is* what I do about 10 times a day.
Is that what this looks like for sure?
Yes, I'm not going to change my answer is you ask again.
Is there any additional logging I can get besides `-X`?
No amount of additional FreeRADIUS logging will tell you what's going wrong with Windows. In fact, if the client keeps trying EAP, the debug output will print out a huge warning, and point you to a Wiki page. That page describes exactly what's going wrong, and how to fix it. Hint: configure Windows correctly. Alan DeKok.
Hi Allan, Do they connect to your network using credentials you supply? No. They are using their Google Cloud Identity credentials since freeRADIUS is binding on Google Secure LDAP. So far as I'm aware *all* modern operating systems don't allow the user to
configure EAP-TTLS or PEAP. *All* systems refuse to accept even known CAs (i.e. web ones), unless the CA is enabled for EAP.
Is it possible that the AP controller is not passing the cert request back to the supplicant and instead is answering RADIUS with the key I installed? This would explain how a tunnel is being established without a cert on the BYOD. Midway in the first passthrough: 1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize 2. (0) [eap] = ok @Alan Buxey, Eduroam is a sledgehammer for my little school. The juice is not worth the squeeze for me, but thanks for the suggestion. I do appreciate the ongoing help guys. Evan On Wed, Sep 16, 2020 at 5:31 PM Alan DeKok <aland@deployingradius.com> wrote:
On Sep 16, 2020, at 6:56 PM, Evan Sharp < evan.sharp@coastmountainacademy.ca> wrote:
Hi Allan, Matthew, et al.
So if OSX and Chrome "just work", then it's because someone is configuring it.
All respect guys, but these are dozens of K-12 student-owned BYODs.
Do they connect to your network using credentials you supply?
https://support.google.com/chrome/a/answer/2634553?hl=en
• On Chrome OS versions 61–72, certificates added to an organizational unit are available to both network settings and kiosk apps on devices. On earlier versions, certificates are only available to the network settings on a device.
They haven't received any configuration and they all work out of the gate as operated by a 12 year old. I don't need to be right, but I don't know enough about what I've configured to understand how it is working; do you have any other ideas?
So far as I'm aware *all* modern operating systems don't allow the user to configure EAP-TTLS or PEAP. *All* systems refuse to accept even known CAs (i.e. web ones), unless the CA is enabled for EAP.
I suspect what's happening is that they Chrome devices are pulling the certificate information from your systems. So someone, somewhere, set it up for your network.
It makes sense to me that Win10 is being finicky about a cert, but since installing one on these student-owned machines is something I want to avoid, I want to get to the bottom of OSX's success in case it's replicable.
"it just stops". 99% of the time it's a certificate issue.
Did you look at the end of my "failed bind" debug?
Yes... that *is* what I do about 10 times a day.
Is that what this looks like for sure?
Yes, I'm not going to change my answer is you ask again.
Is there any additional logging I can get besides `-X`?
No amount of additional FreeRADIUS logging will tell you what's going wrong with Windows.
In fact, if the client keeps trying EAP, the debug output will print out a huge warning, and point you to a Wiki page. That page describes exactly what's going wrong, and how to fix it.
Hint: configure Windows correctly.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 17, 2020, at 3:20 PM, Evan Sharp <evan.sharp@coastmountainacademy.ca> wrote:
No. They are using their Google Cloud Identity credentials since freeRADIUS is binding on Google Secure LDAP.
*Something* is telling the devices to allow your CA. This does *not* happen automatically.
Is it possible that the AP controller is not passing the cert request back to the supplicant and instead is answering RADIUS with the key I installed?
I have no idea what that means. What "key" you installed? The AP doesn't do certs, and doesn't know about them. It just passes packets back and forth between the end-user device, and the RADIUS server.
This would explain how a tunnel is being established without a cert on the BYOD. Midway in the first passthrough:
The end user device DOES have a certificate configured.
1. (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize 2. (0) [eap] = ok
That's just the start of the EAP conversation. It is LONG before any certificate exchange. Alan DeKok.
hi, is any prompt to trust the cert coming up on the Windows 10 box? if not, it really doesnt like it - the root CA must pass a few requirements for windows 10 - eg not be SHA1, it must have a CRLDP RL defined or somesuch too. regarding deployment - you really should be looking at a deployment tool so that your config is secure (especially with EAP-TTLS/PAP stuff as anyone doing a simple MiTM can just then harvest user details trivially....have you heard of eduroam? you might want to check that out as its a free service for academic institutions but they also provide a nice , easy to use deployment tool for free 9such things from commercial companies cost quite a bit) alan
Hi On 16.09.20 03:56, Alan DeKok wrote:
For the last 3-4 years, OSX will*not* allow users to configure TTLS with certificates via the GUI. Instead, it has to be done via a mobileconfig file, or provisioning tool.
hm, if you take a fresh MacOS or iOS install and tell it to connect to eduroam, it will try some "sensible defaults". This includes PEAP/MS-CHAPv2 for sure. If the server does not like this, but rather offers EAP-TTLS/PAP, they would switch to this one, AFAIR. But they would ask you about the cert, presenting the name included.
So if OSX and Chrome "just work", then it's because someone is configuring it. They require some kind of configuration changes before they "just work".
The Chrome thing _might_ be treacherous (and Android, too). It is still easy to configure the CA setting on the client to "Do not validate". Current version will display a hint about an "Insecure connection", but work nevertheless. (Without prior install of a cert and name to expect, the alternative is "System Defaults" which means to accept any cert from any CA already known to the OS. Unlike a browser, a supplicant has no means to know what server name to check for, unless you tell it). So if the client does not validate anything, the connection will run smoothly. As will the connection to a Rogue AP AKA Evil Twin :-\ We are currently running an investigation into this (yawn, has been known for 10+ years). But still works pretty well. About 25% of all clients happily log on to our Rogue AP and give away their credentials. Most are Android phones, much fewer ChromeOS, and even fewer outdated Apple gear. What cert do you provide to the clients? And what do the settings in Chrome an Android Clients that "just work" look like? Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (5)
-
Alan Buxey -
Alan DeKok -
Evan Sharp -
Martin Pauly -
Matthew Newton