windows 7 eap-tls authentication

Wed Apr 4 16:28:21 CEST 2012

Hi

On Wed, Apr 04, 2012 at 01:47:54PM +0200, Christian Bösch wrote:
> the certs have the special windows OIDs, but i still get the error from below.

The oids are only one reason for that error, but it is a very
common reason for this issue. The basic problem is that, for some
reason, Windows gave up and just didn't reply to the EAP-TLS
start.

If in doubt, use the default FR config, get it to generate the
certs (which will be done properly) and install and test with
that. Then you should know that the FR/cert side is 100% ok, and
it must be your Windows settings. Then tweak from there.

> on the website http://wiki.freeradius.org/Certificate_Compatibility there is only winxp mentioned.
> is there maybe any difference with windows 7? has anyone done this or a hint whats going wrong?

EAP-TLS definitely works with Windows 7. Check it's set for
'computer' authentication, and the certificates are all installed
in the right places, including any intermediate certs (although
you're not getting as far as that, it seems).

Also make sure you have just one client cert in the computer
account personal cert store - more than one can confuse things, as
it probably won't pick the one you want.

Make sure you've set the connection to 'certificate', rather than
'PEAP'. FR is correctly sending EAP type 0d (eap-tls) back, and
I'm not sure what Windows does if it's incorrectly expecting to do
peap here.

Generally, though, it just works. Unfortunately I've not yet found
any way to get decent debugging info out of Windows, such as you
can get from things like wpa-supplicant.

Matthew

> ---
> rad_recv: Access-Request packet from host 172.16.64.240 port 1645, id=133, length=153
> 	User-Name = "host/cb-nb"
> 	Service-Type = Framed-User
> 	Framed-MTU = 1500
> 	Called-Station-Id = "00-12-01-1B-2A-40"
> 	Calling-Station-Id = "00-24-7E-6B-E4-BE"
> 	EAP-Message = 0x0202000f01686f73742f63622d6e62

eap response/identity

> 	Message-Authenticator = 0xdfa853b693abac5cede3b893dac561ba
> 	NAS-Port-Type = Ethernet
> 	NAS-Port = 50217
> 	NAS-Port-Id = "FastEthernet2/17"
> 	NAS-IP-Address = 172.16.64.240
> # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> [eap] EAP packet type response id 2 length 15
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Requiring client certificate
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 133 to 172.16.64.240 port 1645
> 	EAP-Message = 0x010300060d20

eap request, type=eap-tls, start.

> 	Message-Authenticator = 0x00000000000000000000000000000000
> 	State = 0xebeac82aebe9c52b6c542d897c25837b
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 133 with timestamp +15
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xebeac82aebe9c52b did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

windows never responds.

> Ready to process requests.
> ---

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>