EAP-TLS Machine Authentication problems

Michael Olson olson at irinim.net
Fri Jan 18 15:59:55 CET 2008


I loaded the computer certificate via the MMC Certificates module,
into the Local Machine, Personal store. When there isn't one in
there I get a can't find a certificate error in widows when trying
to connect and it never tries to do EAP. Also, looking at the user
log and the computer log, they both get the "TLS_accept:error in
SSLv3 read client certificate A" at that stage.

Looking at User cert request ID #52 and Computer cert request ID #40
(Where the "SSLv3 read client certificate A" error occurs) they are
pretty much identical. The next messages in the sequence (#53/#41)
are also almost identical (the freeradius reply is identical right down
to the EAP-Message blobs in the response). The message after that
is where things appear to go wrong, in User #54, a ton of EAP data
comes in from the client, the client cert details show up, and
authentication seems to be wrapping up; but in Computer #42 barely
anything appears in the EAP blobs and the process appears to start
cycling over again.

Thanks

-- Mike Olson


tnt at kalik.co.yu wrote:

>machine:     TLS_accept:error in SSLv3 read client certificate A
>user:    (other): SSL negotiation finished successfully
>
>There doesn't seem to be a machine certificate in the certificate store.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>
>Dana 18/1/2008, "Michael Olson" <olson at irinim.net> piše:
>
>  
>
>>I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using machine
>>authentication. I set up FreeRADIUS following the guide at
>>http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and I'm using
>>OpenSSL to generate the cetificates.
>>
>>I can authenticate using user certificates fine, so I'm pretty sure all the
>>Certificates & CA setup is right on the RADIUS server certificate, User
>>certificate, and the Root Certificate. That leaves the Computer Certificate.
>>
>>I generated the computer certificate to have the common name be the machine
>>name (I've tried it plain and FQDN) and I've put the FQDN is the altSubjectName
>>field as well. It has the same usage extensions as the User certificates.
>>(TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode registry key to
>>Computer Only (2), and it trys to authenticate which suggests that the
>>workstation is okay with the certificate.
>>
>>Computer Certificate details: http://www.cs.odu.edu/~olson/eap/computer.crt.txt
>>
>>Other than that I can't think of where to look for a problem. Comparing logs
>>between user and computer authentication I can see where it starts differing
>>but I can't find anything I can interpret as to why. Nothing seems to fail for
>>the computer, it just cycles endlessly.
>>
>>Successful User Authentication Log:
>>   http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
>>
>>Failed Computer Authentication Log:
>>   http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
>>
>>I also tossed out the windows tracing logs for both user and computer auth
>>   and anything else that seemed useful in
>>   http://www.cs.odu.edu/~olson/eap/
>>
>>Can anybody give me a pointer on where to look for problems?
>>
>>Thanks
>>
>>-- Mike Olson
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>    
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>  
>




More information about the Freeradius-Users mailing list