XP SP3 an EAP-TLS partly solution

Thu Jan 22 15:24:50 CET 2009

Hi,

I'am still having some problems using EAP-TLS with SP3 on XP. Though I 
have a partly solution, after excessive googeling. I will provide it 
here, because I think a lot of people must have the same problems and if 
they're using Freeradius, they will probably look here.

 I found that you can't use a registry patch anymore to enable a 
machine-based authentification. You need to use XML Files to make a 
profile and load it within XP. MS explained that very well in:

http://support.microsoft.com/?scid=kb%3Ben-us%3B929847&x=16&y=10

You need to do it that way, regardless if you have a wired or wlan setup.

So I was very excited, but it's still not working. My radiusd -X -A 
shows exactly nothing, if XP reboots, there is no ongoing conversation 
or an error. So I enabled debug logging in xp and found some 
interessting lines. I thought, because radius isn't writing anything to 
the screen, that XP isn't sending anything that was wrong.

OneXModule.LOG says (only quoting lines with "error"):

[1516] 01-22 14:19:31:093: Port(2): 802.1X authentication failed with 
reason = "Empfang eines expliziten Eap-Fehlers" and error code = 0x40420110
...
[1516] 01-22 14:19:31:109: (MarshallEapError:1392) Allocated memory 
000E1E00, size = 432
...
[1512] 01-22 14:19:31:109: (FreeEapError:1302) Freed memory 000CA730
[1512] 01-22 14:19:31:109: (FreeEapError:1303) Freed memory 000CCFC0
[1512] 01-22 14:19:31:109: (FreeEapError:1304) Freed memory 000CAC60
...
[1904] 01-22 14:19:49:250: Port(3): Received a failure indication from 
the local Eap dll with error code 0x40420110 and reason code 0x40420110
[1904] 01-22 14:19:49:250: Port(3): Eap error info contains 
winError=0x40420110, reasonCode=0x40420110, EapMethod(Type=0), 
rootCauseString=Fehler bei der Authentifizierung, weil ein Problem mit 
dem Benutzerkonto besteht.
[1904] 01-22 14:19:49:250: (DuplicateEapError:1320) Allocated memory 
000C6290, size = 80

The rootCauseString means: "Error with authentification, because there 
is a problem with the useraccount". The errorcode is unkown to google.

EAPOL.LOG says:

[1148] 14:18:17:781: ElRegistryUpdateXPBeta2: Error in RegOpenKeyEx for 
base key, 2
[1148] 14:18:17:828: ElUpdateRegistry: ElRegistryUpdateXPBeta2 failed 
with error 2
[1148] 14:18:17:828: QEC Init succeeded with dwRetCode = 0
[1148] 14:18:17:828: ElMediaInit: Entered
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for cwszSupplicantMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for cwszPMKCacheMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for cwszPMKCacheTTL, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for cwszPMKCacheSize, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for PreauthMode, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for PreauthTimeout, 2, InfoSize=4
[1148] 14:18:17:828: ElReadGlobalRegistryParams: Error in 
RegQueryValueEx for cwszPreauthThrottle, 2, InfoSize=4
...
[1148] 14:18:17:921: ElGetWinStationUserToken: GetWinStationUserToken 
failed for SessionId (0) with error (1702)
[1148] 14:18:17:921: ElGetWinStationUserToken: GetCurrentUserTokenW 
failed with error (1245)
...

So whats the problem? Is there some kine of Registry hassle? I took a 
new PC with a new XP Pro (inkl. SP3) installed. There are no old 
leftovers. So eap looks very buggy and beta. The certs are ok, they work 
with XP SP2, so why doesn't want SP3 it?

I'am using now Freeradius 1.1.6 (I had 1.1.0) and made no changes to my 
setup or config files, since XP SP2, Win2000 and Linux authenticate 
without problems. Do I have to change something in Freeradius to make it 
work, beside upgrade the version?

Is anyone around here doing an EAP-TLS with XP SP3 machines?

Please give a hint. I'd love to owe you a beer. :-)

TIA
 Alex