Connection before logon

Phil Scarratt misc at draxsen.com
Sat Mar 17 03:54:29 CET 2007


Phil Scarratt wrote:
> Hi
> 
> I am sure this must be a commonly asked question, but after hours of 
> searching I just can't seem to find the answer. I've spent hours 
> trawling through google and searching the archives to no avail. I am 
> sure I am missing something simple, but can't put my finger on it. There 
> are several posts of similar topic but no answer (or answer that works).
> 
> In my case, I have freeradius installed to use EAP-TLS, Windows XPSP2 
> clients exclusively. The authentication works fine after logging on 
> using a local account. I have the same certificates in both the local 
> users certificate store and the computer account certificate store. The 
> debug output for freeradius, when the computer is first switched on and 
> before logging on, simply shows repeated Access-Request packets like the 
> one below. It basically simply repeats.
> 
> Can anyone shed any light at all, or point me in other directions to 
> search?

Fixed my own problem...:)...after a nights sleep and further thinking 
and testing (tcpdump, AP log files, etc etc) I concluded that the XP 
client was simply not responding to the EAP Authorize-Challenge, which 
the most likely reason would be that it had a problem with certificates 
(either not installed properly or could not find one suitable). As I 
could verify easily that the certificate was there (using mmc and 
Certificates snap-in), I tried generating a different certificate with 
host/ as part of the CN, importing that (and deleting the old one). No 
go either. However, on deleting this new cert and re-importing the old 
one using mmc, all worked like a charm.

I think probably what happened, (for archive purposes) was that the 
original howto I followed was not overly interested in machine logons, 
so had said to double-click the certificate and let the machine pick 
where to store it. I have then later used mmc to drag and drop the 
certificate into the computer account's personal certificate store. This 
obviously did not do the correct thing. Importing using MMC direct to 
the computer accounts personal cert store did.

Fil



More information about the Freeradius-Users mailing list