PEAP with Machine auth
Bonald
bonald at gmail.com
Wed Oct 26 17:54:46 CEST 2011
If you are using the default config then your eap.conf must have
default_eap_type = md5
Try with peap.
On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 26/10/11 14:58, Phil Mayers wrote:
>>
>> On 26/10/11 14:47, Sergio NNX wrote:
>>>
>>> This kind of Q&A thing helps no one here! Many people are reporting the
>>> same issue on different platforms! I don't think the problem is either
>>> with the client or the certificates since I conducted some testing using
>>> the same client and the same certificates but an old FR version (1.1.7)
>>> and the tests pass. It's easier to blame something else but we could
>>> spend that time contributing to the solution and so helping others!
>>
>> In earnest: What exactly would you like us to do? Be specific. Bear in
>> mind that no-one is paid to offer help here.
>>
>> If you can reproduce the problem reliably, then do so. Carefully
>> document the configs that work under 1.1.7, and fail under 2.1.12,
>> including the client configuration. Give that information to the list,
>> and I'm sure if people are interested, they will take a look.
>>
>> If no-one is interested, you should start investigating the problem
>> yourself - FreeRADIUS is open source. If you lack the skills locally,
>> hire a contractor.
>>
>> I will try to find some time today to test machine auth.
>>
>
> Sorry, this is long.
>
> tl;dr version - under Windows 7, if you import the CA certificate into the
> "Trusted Root Certification Authorities" hierarchy in the MMC "Certificates"
> snap-in, Windows 7 user- and machine-auth work just fine against an
> out-of-the-box FreeRADIUS 2.1.12 with only two minor changes.
>
> It works for me.
>
> ===
>
>
> I have just tested machine auth on a Windows 7 client. Everything works as I
> expected. Using an out-of-the-box FreeRADIUS 2.1.12 install and default
> configs, I made two changes:
>
> 1. Edit "modules/mschap" to enable the "ntlm_auth" helper like so:
>
> ntlm_auth = "... --username=%{mschap:User-Name} ..."
>
> 2. Edit "clients.conf" to add an entry for the switch
>
> I then started FreeRADIUS, and it auto-generated the certificates. I then
> tried a sequence of things on the Windows client.
>
> First - open the "services" MMC snap-in, and start (and set to auto-start)
> the "Wired autoconfig" service
>
> Second - open the network adapter list, right-click on the wired adapter,
> and enable authentication using the default settings (PEAP, MSCHAP inner)
> except that I unchecked "use my windows domain login / password"
>
> I then enabled 802.1x on the port facing the machine.
>
> == 1st auth ==
>
> Failed. Client did the TLS negotiation, and returned the following error to
> FreeRADIUS:
>
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
> TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
>
> This is expected; we haven't yet imported the client cert into the
> certificate store.
>
> == 2nd auth ==
>
> Copy the "ca.cer" file onto the client, double-click on it, follow the
> prompts using the defaults. This didn't work - the client did not import the
> cert, despite appearing to, so auth again failed.
>
> == 3rd auth ==
>
> Open "mmc", add the "Certificates" snap-in for "My user account". In the
> snap-in, expand the "Trusted Root Certification Authorities" folder, and
> right click on the "Certificates" child - select "All Tasks", "Import...".
> Browse to the cert & import it. You will be prompted saying "Windows cannot
> verify ..." - click OK.
>
> You should now see the example cert in the list.
>
> Re-start the 802.1x auth (unplug/reconnect).
>
> You will be prompted for a username/password, as before - this time, auth
> will succeed.
>
> == 4th auth ==
>
> Return to the network adapter settings. Right-click, select properties. Go
> to the Authentication tab, select "Additional settings", and tick the
> "Specify authentication mode" box, and select "Computer authentication" from
> the drop-down.
>
> The machine will re-authenticate and, as expected, fail with a bad CA alert:
>
> [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
> TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
>
> == 5th auth ==
>
> Return to the "mmc" window; add the "Certificates" snap-in for the computer
> account. Again, expand "Trusted Root Certification Authorities" and
> right-click on "Certificates" and select "All tasks", "Import..". Browse to
> the "ca.cer" and import it.
>
> Re-start authentication. Authentication will work.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list