Problems in EAP-TLS in new Windows XP clients

Jose Marcos Lopez Caravaca marcos at lsi.upc.edu
Mon Sep 18 13:42:51 CEST 2006 

 Hi.

 I have been stuck in this problem for a quite a long time, I hope you can help me.

 I have a wireless network using WPA-Enterprise, with EAP-TLS using radius 1.0.2. The system
has been working good so far, using Windows XP clients and Linux with wpasupplicant
with no problems.

 On the last month I'm having problems making new Windows XP clients connect to the network,
even when old instalations of Windows XP SP2 are working good so far. The OEM Windows XP on the
new machines don't interoperate correctly with freeradius, or seems so.

 Then non-working machines get stuck on the autentication phase and seem to loop the requests
all the time.

 I've tried upgrading freeradius from 1.0.2 to 1.1.3, but the problem still persists, "old"
machines connect without any problem but new ones get stuck.

 Both client and server certificate have the OID's refered in the documentation:

 Client:

# /home/soft-local/openssl-0.9.8c/bin/openssl x509 -in /tmp/personal.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 206 (0xce)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Departament de Llenguatges i Sistemes Informatics, CN=Laboratori de Calcul de LSI/emailAddress=lclsi at lsi.upc.edu
        Validity
            Not Before: Sep  5 10:15:15 2006 GMT
            Not After : Dec  1 08:00:00 2006
        Subject: C=ES, ST=Barcelona, L=Barcelona, O=UPC, OU=LSI, CN=marcos/emailAddress=marcos at lsi.upc.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d7:f7:ba:f3:d0:69:ca:bf:c9:33:28:71:a6:cd:
                    08:1a:74:3e:e4:f1:e1:ed:00:7e:8c:76:1c:d0:43:
                    7b:1e:32:c0:3f:ad:a5:da:ea:38:96:c9:69:a2:4d:
                    cc:cb:a4:62:24:34:0f:a9:bc:ca:9f:38:d9:84:c3:
                    d9:bd:4d:98:d9:ad:92:82:82:59:2c:0c:64:17:97:
                    00:d4:c4:f3:b1:03:f4:88:05:de:1e:1b:22:ea:47:
                    1c:16:b5:f7:65:0f:17:6f:a9:e1:e4:ce:99:96:e5:
                    eb:40:7c:28:d8:e6:b3:be:71:3e:e0:e9:1a:56:d3:
                    e2:44:f7:3d:28:6e:d3:29:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
    Signature Algorithm: md5WithRSAEncryption
        a1:26:ae:7b:43:33:3e:40:87:20:68:24:00:13:e2:37:2c:ae:
        f9:e4:17:1f:11:32:53:b2:14:3e:11:f4:d9:1a:c5:b7:2e:37:
        3b:41:5d:75:13:c7:0d:be:bc:51:97:b8:06:48:07:de:5f:02:
        8f:27:5b:c9:7d:33:bf:84:8c:db:9f:74:3c:2e:42:f6:96:1b:
        6a:c4:47:b7:62:53:8d:22:6f:14:32:9a:67:5e:9d:8f:d8:b4:
        ca:fc:e9:ab:fd:16:4f:c7:f9:91:9b:65:43:e7:b2:35:6a:a2:
        9c:0b:0f:3a:1d:d9:75:ea:3b:4a:68:98:22:de:ba:f2:3e:f7:
        a4:a8

 Server:
# /home/soft-local/openssl-0.9.8c/bin/openssl x509 -in /home/soft-local/freeradius-1.1.3/etc/raddb/certs/cert-srv.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 153 (0x99)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=ES, ST=Barcelona, L=Barcelona, O=Universitat Politecnica de Catalunya, OU=Departament de Llenguatges i Sistemes Informatics, CN=Laboratori de Calcul de LSI/emailAddress=lclsi at lsi.upc.edu
        Validity
            Not Before: Mar 15 11:13:27 2006 GMT
            Not After : Mar 15 11:13:27 2007 GMT
        Subject: C=ES, ST=Barcelona, L=Barcelona, O=Departament de Llenguatges i Sistemes Informatics, OU=Laboratori de Caulcul de LSI, CN=Servei Wireless de LCLSI/emailAddress=lclsi at lsi.upc.edu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:aa:eb:d5:19:3d:63:4b:ee:b2:ae:c2:73:24:69:
                    cd:61:0a:44:66:45:fe:e9:2e:c0:90:be:1a:c5:39:
                    2a:95:9e:53:ee:0f:29:01:28:43:6e:e6:11:44:09:
                    1c:e7:ae:b8:72:22:9d:03:60:26:6f:90:92:cf:bb:
                    22:66:61:3f:ba:5a:89:62:c0:aa:09:aa:9c:2f:05:
                    b9:67:c1:b2:0e:ad:5e:9d:ab:c4:45:79:51:97:fd:
                    15:da:ba:29:06:5f:fb:4a:d0:7d:80:2e:7d:b9:91:
                    58:32:56:a8:69:36:7e:9c:54:66:ac:25:10:62:be:
                    e1:60:f0:aa:9b:02:fc:b6:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
    Signature Algorithm: md5WithRSAEncryption
        bb:b0:de:06:6a:03:fd:34:f7:38:8d:07:e7:b7:ee:97:0a:94:
        f2:82:ab:10:6b:08:cf:4c:9f:97:e7:be:a3:1b:12:e5:9a:b1:
        86:35:85:20:06:4a:a9:51:f3:83:de:69:6e:e5:c4:22:e5:88:
        17:f4:23:e7:70:5b:f6:d2:ae:50:c5:e6:c4:fd:93:f4:b8:61:
        92:df:1d:9d:01:1b:16:87:02:6c:a5:02:87:7b:ad:bc:a3:65:
        26:7c:82:81:48:e9:62:60:ab:c5:63:fc:9f:17:d0:d9:7f:53:
        3d:e7:bc:85:f9:01:a9:97:e7:88:2a:d9:b2:a2:8a:7c:1c:bd:
        85:4a

 And the traces of the server:

 - Working on an "old" machine attached as http://www.lsi.upc.edu/~marcos/correcto.txt
 - Non-Working on a "new" machine attached as http://www.lsi.upc.edu/~marcos/incorrecto.txt

 Thank you all.

More information about the Freeradius-Users mailing list