XP SP3 an EAP-TLS partly solution (SOLVED)

Alexandros Gougousoudis gougousoudis-list at servicecenter-khs.de
Thu Jan 29 15:47:17 CET 2009 

Hi,

just to give an update on my efforts to make XP SP3 work with EAP-TLS.

Machine based EAP-TLS authentification works for WIRED connections fine, 
as I wrote in the last mail. BUT that doesn't mean that it works for 
wireless connections. :-) Before SP3 there wasn't a problem with that, 
with this alphaversion of service pack, it's not working.

First of all, the things you need to do with the network-adapters 
profiles, using the netsh command aren't working in XP with wlan 
profiles, simply because the netsh command doesn't know "netsh wlan ..." 
(you get an error), Vista knows that context, XP SP3 not. So there is a 
Freeware utility zwlancfg here 
http://www.engl.co.uk/products/zwlancfg/index.html

Get that and you can export and import the wlan profiles. But setting 
the authentification to

<authMode>machine</authMode> 


as with wired connections, won't work. You always get a "no certificate 
found" error (the cert which is ok for wired connections!) and no 
connection.
If the tool zwlancfg is setting up the connection manually, you get an 
"illegal authmode" error. So you need to have setup the connection to an 
machineOrUser authmode. It seems there is no machine authmode in XP SP3 
anymore.

As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx

"This element is optional. When authMode is not specified in a profile, 
a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless 
LAN API for Windows XP with SP2:  *This element will be ignored if it is 
present in a profile"

But stop! It's not  that easy. :-)  Because it's Microsoft, it always 
works a little, but never 100%.  If no user is logged in (= 
Loginscreen), the connection is established (seen in the Radius log). If 
a user logs in, the connection is dropped and you get a "no cert" error. 
If the machine cert is included in the users context, using the 
cert-mgr, the connection is again established. So I have to install the 
machine cert for each user, which will login into the computer. And, 
hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2, 
despite the MS information?


It's definately not an Freeradius problem, but most people will look 
here to solve the problem. After a lot of googleing I found, that I must 
be the only one with that combination and problems.

So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista!

I'll post my solution here either. If someone likes to give me a hint, 
I'll be happy.

cu
 Alex

More information about the Freeradius-Users mailing list