authenticate problem XP eap/tls

Thuis Algemeen thuis-algemeen at chello.nl
Tue Oct 11 19:54:01 CEST 2005


When I enable RASTLS, I see the following error:

[1304] 19:33:27:968: EapTlsInvokeIdentityUI
[1304] 19:33:27:968: GetCertInfo
[1304] 19:33:27:984: FCheckSCardCertAndCanOpenSilentContext
[1304] 19:33:27:984: FGetEKUUsage
[1304] 19:33:27:984: Acquiring Context for Container Name: {226FADA0-66DE-4423-BFBF-448D710E1BF2}, ProvName: Microsoft Base Cryptographic Provider v1.0, ProvType 0x1
[1304] 19:33:28:000: FCheckTimeValidity
[1304] 19:33:28:000: Add Selected Cert to List
[1304] 19:33:28:000: FCheckSCardCertAndCanOpenSilentContext
[1304] 19:33:28:000: FGetEKUUsage
[1304] 19:33:28:000: Acquiring Context for Container Name: {F4FC41A8-ECDF-4B9A-A613-A457D74DDFF8}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1
[1304] 19:33:28:015: FCheckTimeValidity
[1304] 19:33:28:015: Add Selected Cert to List
[1304] 19:33:28:015: GroupCertificates
[1304] 19:33:35:078: 
[1304] 19:33:35:078: EapTlsBegin(Jurgen Tessers)
[1304] 19:33:35:078: State change to Initial
[1304] 19:33:35:078: EapTlsBegin: Detected 8021X authentication
[1304] 19:33:35:078: MaxTLSMessageLength is now 16384
[1304] 19:33:35:078: 
[1304] 19:33:35:078: EapTlsMakeMessage(jurgen tessers)
[1304] 19:33:35:078: >> Received Request (Code: 1) packet: Id: 1, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1304] 19:33:35:078: EapTlsCMakeMessage
[1304] 19:33:35:078: EapTlsReset
[1304] 19:33:35:078: State change to Initial
[1304] 19:33:35:078: GetCredentials
[1304] 19:33:35:078: Flag is Client and Store is Current User
[1304] 19:33:35:078: GetCachedCredentials
[1304] 19:33:35:078: FreeCachedCredentials
[1304] 19:33:35:078: AssociatePinWithCertificate
[1304] 19:33:35:093: The name in the certificate is: Jurgen Tessers
[1304] 19:33:35:093: Will validate server cert
[1304] 19:33:35:125: MakeReplyMessage
[1304] 19:33:35:125: SecurityContextFunction
[1304] 19:33:35:125: InitializeSecurityContext returned 0x90312
[1304] 19:33:35:125: State change to SentHello
[1304] 19:33:35:125: BuildPacket
[1304] 19:33:35:125: << Sending Response (Code: 2) packet: Id: 1, Length: 80, Type: 13, TLS blob length: 70. Flags: L
[2448] 19:33:35:140: 
[2448] 19:33:35:140: EapTlsMakeMessage(jurgen tessers)
[2448] 19:33:35:140: >> Received Request (Code: 1) packet: Id: 2, Length: 1030, Type: 13, TLS blob length: 1020. Flags: L
[2448] 19:33:35:140: EapTlsCMakeMessage
[2448] 19:33:35:140: MakeReplyMessage
[2448] 19:33:35:140: Reallocating input TLS blob buffer
[2448] 19:33:35:140: SecurityContextFunction
[2448] 19:33:35:281: InitializeSecurityContext returned 0x80096004
[2448] 19:33:35:281: State change to RecdFinished. Error: 0x80096004
[2448] 19:33:35:281: BuildPacket
[2448] 19:33:35:281: << Sending Response (Code: 2) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: 
[2448] 19:33:35:281: 
[2448] 19:33:35:281: EapTlsMakeMessage(jurgen tessers)
[2448] 19:33:35:281: >> Received Request (Code: 1) packet: Id: 3, Length: 10, Type: 13, TLS blob length: 0. Flags: L
[2448] 19:33:35:281: EapTlsCMakeMessage
[2448] 19:33:35:281: Unexpected code: 1 in state RecdFinished
[2448] 19:34:05:296: EapTlsEnd
[2448] 19:34:05:296: EapTlsEnd(jurgen tessers)
[2448] 19:34:05:296: Auth failed so freeing cached creds.
[2448] 19:34:05:296: FreeCachedCredentials
[2448] 19:34:05:296: 
[2448] 19:34:05:296: EapTlsBegin(Jurgen Tessers)
[2448] 19:34:05:296: State change to Initial
[2448] 19:34:05:296: EapTlsBegin: Detected 8021X authentication
[2448] 19:34:05:296: MaxTLSMessageLength is now 16384

etc, etc . . .. 
  ----- Original Message ----- 
  From: Ben Walding 
  To: FreeRadius users mailing list 
  Sent: Monday, October 10, 2005 2:18 AM
  Subject: Re: authenticate problem XP eap/tls


  Make sure that you either don't validate the server certificate, or that if you do, that the CA is selected.

  The XP supplicant will just keep hammering at the server without accepting the response if the CA / server checking doesn't pass. 

  The other thing to do is look at the RASTLS (and/or EAPOL) logs.

  eg: 

netsh ras set tracing rastls enabledAnd then take a look at the files in c:\windows\tracingCheers,
Ben

  On 10/10/05, Thuis Algemeen <thuis-algemeen at chello.nl> wrote:
    Thanks Allan,

    I used a file called xpextensions with both a client section and server a
    server section.
    The client certificate present on the laptop display's : Clientverificatie
    (1.3.6.1.5.5.7.3.2)
    The server certificate present on the server display's : Verificatie van de 
    server (1.3.6.1.5.5.7.3.1)

    ----- Original Message -----
    From: "Alan DeKok" <aland at ox.org>
    To: "FreeRadius users mailing list" < freeradius-users at lists.freeradius.org>
    Sent: Sunday, October 09, 2005 5:49 PM
    Subject: Re: authenticate problem XP eap/tls


    > "Thuis Algemeen" < thuis-algemeen at chello.nl> wrote:
    >>  Here the log from freeradius, the onl error I can see is :
    >> "TLS_accept:error in SSLv3 read client certificate A".
    >
    >  That error is in the middle of the authentication session, and 
    > doesn't mean anything.
    >
    >  Do the certificates you're using have the Windows OID?
    >
    >  Alan DeKok.
    >
    > -
    > List info/subscribe/unsubscribe? See
    > http://www.freeradius.org/list/users.html

    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





------------------------------------------------------------------------------


  - 
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051011/cd1eb78c/attachment.html>


More information about the Freeradius-Users mailing list