EAP-TLS Machine Authentication problems

Michael Olson olson at irinim.net
Fri Jan 18 02:01:42 CET 2008


I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
authentication. I set up FreeRADIUS following the guide at
http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using
OpenSSL to generate the cetificates.

I can authenticate using user certificates fine, so I'm pretty sure all the 
Certificates & CA setup is right on the RADIUS server certificate, User 
certificate, and the Root Certificate. That leaves the Computer Certificate.

I generated the computer certificate to have the common name be the machine
name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName
field as well. It has the same usage extensions as the User certificates.  
(TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to 
Computer Only (2), and it trys to authenticate which suggests that the 
workstation is okay with the certificate.

Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt

Other than that I can't think of where to look for a problem. Comparing logs 
between user and computer authentication I can see where it starts differing
but I can't find anything I can interpret as to why. Nothing seems to fail for
the computer, it just cycles endlessly.

Successful User Authentication Log:
    http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log

Failed Computer Authentication Log:
    http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log

I also tossed out the windows tracing logs for both user and computer auth
    and anything else that seemed useful in 
    http://www.cs.odu.edu/~olson/eap/

Can anybody give me a pointer on where to look for problems?

Thanks

-- Mike Olson




More information about the Freeradius-Users mailing list