last hurdle...windows clients

Craig White craigwhite at azapple.com
Sat Nov 22 03:39:30 CET 2008


freeradius-1.1.3-1.2.el5

I am authenticating Windows RRAS connections, Macintosh wifi, iPhone
wifi all with LDAP and mschapv2 (using sambaNTPassword hashes in
OpenLDAP)

My users basically consists of...
DEFAULT         Auth-Type = LDAP

eap.conf
default_eap_type = mschapv2
and of course my certificates and LDAP setup which works for all the
above authentications.

My problem is Windows XP laptops (updated to SP3) and I have generated
certificates for them.

I have loaded both the CA and p12 certificates on a Windows client, set
for WPA, TKIP, PEAP but it never asks me for a user name and password
and thus always tries to authenticate as anonymous (log below)...even if
I check the box to 'Automatically use my Windows name and password' - it
still comes in as 'anonymous'

Is there some thing else I need to add so that Windows also uses
name/password or do I have something else in Auth-Type to just allow
those with the certificates? How do I do this?

I don't understand the message about unknown_ca in the log below either
because I am acting as my own CA and this same cacert.pem seems to be
happy on the Windows system I imported it on and I've been using it for
a bunch of other daemons.

Craig

rad_recv: Access-Request packet from host 192.168.1.251:2050, id=112,
length=172
        User-Name = "anonymous"
        NAS-IP-Address = 192.168.1.251
        NAS-Port = 0
        Called-Station-Id = "00-21-29-E3-D1-8A"
        Calling-Station-Id = "00-04-23-62-BD-3D"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0288001119800000000715030100020230
        State = 0xce80cf1b72bd9479de376550dc6d9052
        Message-Authenticator = 0x90183570c2ef1940d04e9e5dc579a1bd
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 59
  modcall[authorize]: module "preprocess" returns ok for request 59
  modcall[authorize]: module "chap" returns noop for request 59
  modcall[authorize]: module "mschap" returns noop for request 59
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 59 
  rlm_eap: EAP packet type response id 136 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 59
    users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 59
rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous 
radius_xlat:  '(uid=anonymous)'
radius_xlat:  'ou=People,ou=Accounts,o=MyOrg'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=People,ou=Accounts,o=MyOrg, with
filter (uid=anonymous)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0 
  modcall[authorize]: module "ldap" returns notfound for request 59
modcall: leaving group authorize (returns updated) for request 59
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 59 
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA 
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
In SSL Handshake Phase 
In SSL Accept mode 
rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
handshake failure 
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 59
modcall: leaving group authenticate (returns reject) for request 59
auth: Failed to validate the user.





More information about the Freeradius-Users mailing list