EAP-TLS Machine Authentication problems
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates. I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate. I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate. Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly. Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/ Can anybody give me a pointer on where to look for problems? Thanks -- Mike Olson
machine: TLS_accept:error in SSLv3 read client certificate A user: (other): SSL negotiation finished successfully There doesn't seem to be a machine certificate in the certificate store. Ivan Kalik Kalik Informatika ISP Dana 18/1/2008, "Michael Olson" <olson@irinim.net> piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly.
Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the "TLS_accept:error in SSLv3 read client certificate A" at that stage. Looking at User cert request ID #52 and Computer cert request ID #40 (Where the "SSLv3 read client certificate A" error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again. Thanks -- Mike Olson tnt@kalik.co.yu wrote:
machine: TLS_accept:error in SSLv3 read client certificate A user: (other): SSL negotiation finished successfully
There doesn't seem to be a machine certificate in the certificate store.
Ivan Kalik Kalik Informatika ISP
Dana 18/1/2008, "Michael Olson" <olson@irinim.net> piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly.
Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking at User cert request ID #52 and Computer cert request ID #40 (Where the "SSLv3 read client certificate A" error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again.
Thanks
-- Mike Olson
Yes, there is a mismatch that's something to do with MS adding $ to the end of machine accounts, so certificate data is not sent. I don't know how to fix this but I am sure there are people on the list that do. Ivan Kalik Kalik Informatika ISP
Found the problem... and ummm... I'm really ashamed to admit this one. I had the CA root certificate in the users trusted root store, moved it over the machine trusted root store and all is well. Thank you for enduring my duh moment. -- Mike Olson Michael Olson wrote:
I loaded the computer certificate via the MMC Certificates module, into the Local Machine, Personal store. When there isn't one in there I get a can't find a certificate error in widows when trying to connect and it never tries to do EAP. Also, looking at the user log and the computer log, they both get the "TLS_accept:error in SSLv3 read client certificate A" at that stage.
Looking at User cert request ID #52 and Computer cert request ID #40 (Where the "SSLv3 read client certificate A" error occurs) they are pretty much identical. The next messages in the sequence (#53/#41) are also almost identical (the freeradius reply is identical right down to the EAP-Message blobs in the response). The message after that is where things appear to go wrong, in User #54, a ton of EAP data comes in from the client, the client cert details show up, and authentication seems to be wrapping up; but in Computer #42 barely anything appears in the EAP blobs and the process appears to start cycling over again.
Thanks
-- Mike Olson
tnt@kalik.co.yu wrote:
machine: TLS_accept:error in SSLv3 read client certificate A user: (other): SSL negotiation finished successfully
There doesn't seem to be a machine certificate in the certificate store.
Ivan Kalik Kalik Informatika ISP
Dana 18/1/2008, "Michael Olson" <olson@irinim.net> piše:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly.
Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I tried upgrading to 2.0.0, very close to a stock default config and I'm getting the same symptoms, user works, computer doesn't. Makes me even more suspicious of my certificates. I updated the files listed below to new logs generated from 2.0.0. I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to work and I posted the output from an openssl pkcs12 dump to http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately that didn't seem to help. I'm pretty much dead on ideas at this point, besides Ivan Kaliks suggestion that I look into the $ appended to the machine name. (Which I'm pursuing next.) Thanks -- Mike Olson Michael Olson wrote:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly.
Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
Well this was an embarrassing sort of problem. The CA certificate was in the Users Trusted Root store, once I moved it to the Machine Trusted Root store all was well. For anyone else ever hunting down this problem, the Windows RASTLS.log error messages I got were: [4968] 21:57:59:046: SecurityContextFunction [4968] 21:57:59:062: InitializeSecurityContext returned 0x80090325 [4968] 21:57:59:062: State change to RecdFinished. Error: 0x321 In freeradius it seemed like the login process just cycled forever, getting to the last message and the client just gave up. In the Windows "Wireless Network Connection" dialog box it hung in attempting to verify and never moved on. Thanks all for enduring my duh moment with me. v/r -- Mike Olson Michael Olson wrote:
I tried upgrading to 2.0.0, very close to a stock default config and I'm getting the same symptoms, user works, computer doesn't. Makes me even more suspicious of my certificates. I updated the files listed below to new logs generated from 2.0.0.
I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to work and I posted the output from an openssl pkcs12 dump to http://www.cs.odu.edu/~olson/eap/computer.p12.txt , unfortunately that didn't seem to help.
I'm pretty much dead on ideas at this point, besides Ivan Kaliks suggestion that I look into the $ appended to the machine name. (Which I'm pursuing next.)
Thanks
-- Mike Olson
Michael Olson wrote:
I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine authentication. I set up FreeRADIUS following the guide at http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using OpenSSL to generate the cetificates.
I can authenticate using user certificates fine, so I'm pretty sure all the Certificates & CA setup is right on the RADIUS server certificate, User certificate, and the Root Certificate. That leaves the Computer Certificate.
I generated the computer certificate to have the common name be the machine name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName field as well. It has the same usage extensions as the User certificates. (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to Computer Only (2), and it trys to authenticate which suggests that the workstation is okay with the certificate.
Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
Other than that I can't think of where to look for a problem. Comparing logs between user and computer authentication I can see where it starts differing but I can't find anything I can interpret as to why. Nothing seems to fail for the computer, it just cycles endlessly.
Successful User Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
Failed Computer Authentication Log: http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
I also tossed out the windows tracing logs for both user and computer auth and anything else that seemed useful in http://www.cs.odu.edu/~olson/eap/
Can anybody give me a pointer on where to look for problems?
Thanks
-- Mike Olson
participants (2)
-
Michael Olson -
tnt@kalik.co.yu