PEAP with Machine auth

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 26 17:14:29 CEST 2011 

On 26/10/11 14:58, Phil Mayers wrote:
> On 26/10/11 14:47, Sergio NNX wrote:
>> This kind of Q&A thing helps no one here! Many people are reporting the
>> same issue on different platforms! I don't think the problem is either
>> with the client or the certificates since I conducted some testing using
>> the same client and the same certificates but an old FR version (1.1.7)
>> and the tests pass. It's easier to blame something else but we could
>> spend that time contributing to the solution and so helping others!
>
> In earnest: What exactly would you like us to do? Be specific. Bear in
> mind that no-one is paid to offer help here.
>
> If you can reproduce the problem reliably, then do so. Carefully
> document the configs that work under 1.1.7, and fail under 2.1.12,
> including the client configuration. Give that information to the list,
> and I'm sure if people are interested, they will take a look.
>
> If no-one is interested, you should start investigating the problem
> yourself - FreeRADIUS is open source. If you lack the skills locally,
> hire a contractor.
>
> I will try to find some time today to test machine auth.
>

Sorry, this is long.

tl;dr version - under Windows 7, if you import the CA certificate into 
the "Trusted Root Certification Authorities" hierarchy in the MMC 
"Certificates" snap-in, Windows 7 user- and machine-auth work just fine 
against an out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.

It works for me.

===


I have just tested machine auth on a Windows 7 client. Everything works 
as I expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and 
default configs, I made two changes:

  1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so:

ntlm_auth = "... --username=%{mschap:User-Name} ..."

  2. Edit "clients.conf" to add an entry for the switch

I then started FreeRADIUS, and it auto-generated the certificates. I 
then tried a sequence of things on the Windows client.

First - open the "services" MMC snap-in, and start (and set to 
auto-start) the "Wired autoconfig" service

Second - open the network adapter list, right-click on the wired 
adapter, and enable authentication using the default settings (PEAP, 
MSCHAP inner) except that I unchecked "use my windows domain login / 
password"

I then enabled 802.1x on the port facing the machine.

== 1st auth ==

Failed. Client did the TLS negotiation, and returned the following error 
to FreeRADIUS:

[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
     TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.

This is expected; we haven't yet imported the client cert into the 
certificate store.

== 2nd auth ==

Copy the "ca.cer" file onto the client, double-click on it, follow the 
prompts using the defaults. This didn't work - the client did not import 
the cert, despite appearing to, so auth again failed.

== 3rd auth ==

Open "mmc", add the "Certificates" snap-in for "My user account". In the 
snap-in, expand the "Trusted Root Certification Authorities" folder, and 
right click on the "Certificates" child - select "All Tasks", 
"Import...". Browse to the cert & import it. You will be prompted saying 
"Windows cannot verify ..." - click OK.

You should now see the example cert in the list.

Re-start the 802.1x auth (unplug/reconnect).

You will be prompted for a username/password, as before - this time, 
auth will succeed.

== 4th auth ==

Return to the network adapter settings. Right-click, select properties. 
Go to the Authentication tab, select "Additional settings", and tick the 
"Specify authentication mode" box, and select "Computer authentication" 
from the drop-down.

The machine will re-authenticate and, as expected, fail with a bad CA alert:

[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
     TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 
alert unknown ca

== 5th auth ==

Return to the "mmc" window; add the "Certificates" snap-in for the 
computer account. Again, expand "Trusted Root Certification Authorities" 
and right-click on "Certificates" and select "All tasks", "Import..". 
Browse to the "ca.cer" and import it.

Re-start authentication. Authentication will work.

More information about the Freeradius-Users mailing list