Windows 7 answers LAN based EAP-TLS with EAP-NAK and PEAP
PENZ Robert
ROBERT.PENZ at TIROL.GV.AT
Mon Aug 6 16:53:29 CEST 2012
Hi!
I've a problem with 802.1x and EAP-TLS where I'm not quite sure who is responsible for this problem and how to work around it. I hope someone can help me - I couldn't find anything with Google and I just can't believe I'm the first guy with this problem. The setup is following.
- Windows 7 SP1 Client with 802.1x and EAP-TLS configurated
- Extreme Networks 450e Switches --> LAN based 802.1x
- Freeradius 2.1.12-3.el5 on RHEL5 only TLS as EAP type configured/allowed
The problem now is that in 1/3 of the clients boots (done over 40 times with a tap devices running as sniffer) the Windows Client sends an
response: Legacy Nak (Response only) [RFC3748] with the wish for PEAP. After this the freeradius Server sends a reject ([eap] NAK asked for unsupported type PEAP). With the next identity request the Client does an clean EAP-TLs handshake, but the switch already put the client into the reject network.
Here is the communication flow in these cases (Wireshark): Line 5 / Packet 54 is the problem
No. Time Source Destination Protocol Length Info
9 27.371093 switch --> client EAP 60 Request, Identity [RFC3748]
51 43.669530 switch --> client EAP 60 Request, Identity [RFC3748]
52 43.693510 client --> switch EAP 60 Response, Identity [RFC3748]
53 43.699498 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba]
54 43.700496 client --> switch EAP 60 Response, Legacy Nak (Response only) [RFC3748]
84 44.639980 switch --> client EAP 60 Request, Identity [RFC3748]
85 44.646980 client --> switch EAP 60 Response, Identity [RFC3748]
86 44.652974 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba]
87 44.758887 client --> switch TLSv1 123 Client Hello
88 44.765875 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done
89 44.766875 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba]
90 44.772880 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done
91 44.772892 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba]
92 44.778868 switch --> client TLSv1 1042 Server Hello, Certificate, Certificate Request, Server Hello Done
93 44.779865 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba]
94 44.784859 switch --> client TLSv1 177 Server Hello, Certificate, Certificate Request, Server Hello Done
95 44.787862 client --> switch TLSv1 1510 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
96 44.793854 switch --> client EAP 60 Request, EAP-TLS [RFC5216] [Aboba]
97 44.793861 client --> switch TLSv1 530 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message
98 44.807887 switch --> client TLSv1 87 Change Cipher Spec, Encrypted Handshake Message
102 44.818881 client --> switch EAP 60 Response, EAP-TLS [RFC5216] [Aboba]
103 44.855827 switch --> client EAP 60 Success
It seems to be a timing issue .... anyway:
- Windows 7 is configured to EAP-TLS with GPOs
- I've uninstalled anti-virus, behavior detection software
In the 2/3 of the cases it works the Client does not send a NAK, so I believe it is a client problem but it's Windows 7 ... there must be thousands of installs with Windows 7 and 802.1x EAP/TLS. Would it help if freeradius ignores the EAP-NAK packets? Any help appreciated!
Mit freundlichen Grüßen
Robert Penz
--------------------------------------------------------------
Dipl.Inf. Robert Penz
DVT - Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 (0)512 508 3334 / Fax: +43 (0)512 508 3355
E-Mail: robert.penz at tirol.gv.at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120806/1e87dc2c/attachment-0001.html>
More information about the Freeradius-Users
mailing list