EAP-TLS Machine Authentication problems

Michael Olson olson at irinim.net
Sat Jan 19 02:13:05 CET 2008 

I tried upgrading to 2.0.0, very close to a stock default config and I'm 
getting the same symptoms, user works, computer doesn't. Makes me even 
more suspicious of my certificates. I updated the files listed below to 
new logs generated from 2.0.0.

I saw the note to in certs/xpextensions to add 1.3.6.1.4.1.311.17.2 to 
the PKCS#12 file attribute bag. I hacked up OpenSSL a bit to get that to 
work and I posted the output from an openssl pkcs12 dump to 
http://www.cs.odu.edu/~olson/eap/computer.p12.txt  , unfortunately that 
didn't seem to help.

I'm pretty much dead on ideas at this point, besides Ivan Kaliks 
suggestion that I look into the $ appended to the machine name. (Which 
I'm pursuing next.)

Thanks

-- Mike Olson

Michael Olson wrote:
> I'm attempting to use FreeRADIUS to do EAP-TLS with Windows XP using 
> machine
> authentication. I set up FreeRADIUS following the guide at
> http://wiki.freeradius.org/WPA_HOWTO#Step_2:_Configure_FreeRADIUS and 
> I'm using
> OpenSSL to generate the cetificates.
>
> I can authenticate using user certificates fine, so I'm pretty sure 
> all the Certificates & CA setup is right on the RADIUS server 
> certificate, User certificate, and the Root Certificate. That leaves 
> the Computer Certificate.
>
> I generated the computer certificate to have the common name be the 
> machine
> name (I've tried it plain and FQDN) and I've put the FQDN is the 
> altSubjectName
> field as well. It has the same usage extensions as the User 
> certificates.  (TLS Client Auth: 1.3.6.1.5.5.7.3.2) I set the AuthMode 
> registry key to Computer Only (2), and it trys to authenticate which 
> suggests that the workstation is okay with the certificate.
>
> Computer Certificate details: 
> http://www.cs.odu.edu/~olson/eap/computer.crt.txt
>
> Other than that I can't think of where to look for a problem. 
> Comparing logs between user and computer authentication I can see 
> where it starts differing
> but I can't find anything I can interpret as to why. Nothing seems to 
> fail for
> the computer, it just cycles endlessly.
>
> Successful User Authentication Log:
>    http://www.cs.odu.edu/~olson/eap/eap-tls_user_auth.log
>
> Failed Computer Authentication Log:
>    http://www.cs.odu.edu/~olson/eap/eap-tls_computer_auth.log
>
> I also tossed out the windows tracing logs for both user and computer 
> auth
>    and anything else that seemed useful in    
> http://www.cs.odu.edu/~olson/eap/
>
> Can anybody give me a pointer on where to look for problems?
>
> Thanks
>
> -- Mike Olson
>
>

More information about the Freeradius-Users mailing list