Problems using EAP-TLS with freeradius version 2
Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. So first I updated the freeradius version to the latest release (2.0.1), checked and modified all configuration files and so on, but that didn't solve the problem, it made them getting worser. With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ "PEAP or EAP-TLS Doesn't Work with a Windows machine". Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. Does anyone of the experts here know what could be the problem (a guess, perhaps what changed from version 1.1.7 to version 2.0.1)? My goal is first to make the clients using Windows XP, Vista and Linux work again with freeradius version2 and EAP-TLS. After fixing that it would be fine, if freeradius would also work the different Windows Mobile systems. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? I would like to provide USEFULL debug-traces, so that it is easier for the experts to solve the problem and not to much work for me when providing useless informations. Best regards and thanks in advance Stefan Puch
Stefan Puch wrote:
Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA.
You have to love Microsoft...
With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ "PEAP or EAP-TLS Doesn't Work with a Windows machine". Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either.
The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working "live" in environments with many, may different OS's and architectures. So it *should* work.
So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well?
ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. Alan DeKok.
Stefan Puch wrote on 30.01.2008 11:13:
Hello everyone,
I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask here if someone else has made similar experiences.
I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate).
Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began.
We know of problems with EE certificates in PDAs containing the "non-repudiation" flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
participants (3)
-
Alan DeKok -
Reimer Karlsen-Masur, DFN-CERT -
Stefan Puch