Windows 8.1 Wi-Fi client handshake failure
Martin Rowe
martin.p.rowe at gmail.com
Mon Oct 6 20:28:14 CEST 2014
Hello,
I'm having trouble getting a Windows 8.1 laptop to connect to my Wi-Fi
which is using only EAP-TLS managed by FreeRADIUS. Before you ask, yes
I have included serverAuth/clientAuth in the certificates and the
configuration is tested to work with Linux and Android clients, so I
don't think there is a problem on the server side. That is as far as
Google has been able to help me, so I'm hoping someone here has had
the same problem and might know a solution.
The specific issue as far as I can troubleshoot is that the client and
server can't agree on a shared TLS cipher. I'm seeing these lines in
my logs every time I attempt a connection:
Info: [tls] TLS_accept: before/accept initialization
Info: [tls] <<< TLS 1.0 Handshake [length 0067], ClientHello
Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
Error: TLS Alert write:fatal:handshake failure
Error: TLS_accept: error in SSLv3 read client hello C
Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>From [1] it looks like the SSL errors mean:
lib(20) = ERR_LIB_SSL
func(138) = SSL_F_SSL3_GET_CLIENT_HELLO
reason(193) = SSL_R_NO_SHARED_CIPHER
[1] http://comments.gmane.org/gmane.comp.encryption.openssl.user/9654
But that is as far as I can get. I've tried disabling every option I
can in the configs and many variations on the Windows side, but they
all stop at the same point. There is no limit I have set on which TLS
ciphers can be used (cipher_list in eap{tls{}} is not used, and gave
the same error when set to DEFAULT).
My only other guess is there is something wrong with the certificates,
but I'm not sure what might be wrong. I have copied both my root and
my radius intermediate CA certificates onto the Windows client along
with the client certificate and key. They are installed and the chain
is valid according to the Windows Credential Manager. The server
ca.pem has both the root and intermediate certificates concatenated
together and that works fine with my other clients. So all I can think
of is that Windows is being extra picky about something. Below is the
sanitized text certificate for the server and client in the hope that
the error is obvious to someone else:
openssl x509 -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
*
Signature Algorithm: ecdsa-with-SHA512
Issuer: O=CA, OU=radius
Validity
Not Before: Oct 6 17:01:03 2014 GMT
Not After : Oct 6 17:01:03 2015 GMT
Subject: O=CA, OU=radius, CN=my.server.fqdn
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
*
ASN1 OID: secp521r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
*
X509v3 Authority Key Identifier:
keyid:*
DirName:/O=CA/OU=root
serial:*
X509v3 CRL Distribution Points:
Full Name:
URI:http://my.crl.fqdn/radius.crl
Authority Information Access:
CA Issuers - URI:http://my.crl.fqdn/radius.pem
OCSP - URI:http://my.ocsp.fqdn
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Issuer Alternative Name:
<EMPTY>
X509v3 Subject Alternative Name:
DNS:my.server.fqdn
Signature Algorithm: ecdsa-with-SHA512
*
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
openssl x509 -text -in client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
*
Signature Algorithm: ecdsa-with-SHA512
Issuer: O=CA, OU=radius
Validity
Not Before: Oct 1 21:49:00 2014 GMT
Not After : Oct 1 21:49:00 2015 GMT
Subject: O=CA, OU=radius, CN=username
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
*
ASN1 OID: secp521r1
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
*
X509v3 Authority Key Identifier:
keyid:*
DirName:/O=CA/OU=root
serial:*
X509v3 CRL Distribution Points:
Full Name:
URI:http://my.crl.fqdn/radius.crl
Authority Information Access:
CA Issuers - URI:http://my.crl.fqdn/radius.pem
OCSP - URI:http://my.ocsp.fqdn
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Issuer Alternative Name:
<EMPTY>
Signature Algorithm: ecdsa-with-SHA512
*
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
And my logs for good measure
radiusd -XX
Info: radiusd: FreeRADIUS Version 2.2.5, for host
mips-openwrt-linux-gnu, built on Sep 28 2014 at 19:17:25
Debug: Server was built with:
Debug: accounting
Debug: authentication
Debug: WITH_DHCP
Debug: WITH_VMPS
Debug: Server core libs:
Debug: ssl: OpenSSL 1.0.1i 6 Aug 2014
Info: Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License.
Info: For more information about these matters, see the file named COPYRIGHT.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius2/radiusd.conf
Debug: including configuration file /etc/freeradius2/clients.conf
Debug: including configuration file /etc/freeradius2/eap.conf
Debug: including files in directory /etc/freeradius2/sites/
Debug: including configuration file /etc/freeradius2/sites/default
Debug: main {
Debug: allow_core_dumps = no
Debug: }
Debug: including dictionary file /etc/freeradius2/dictionary
Debug: main {
Debug: name = "radiusd"
Debug: prefix = "/usr"
Debug: localstatedir = "/var"
Debug: sbindir = "/usr/sbin"
Debug: logdir = "/var/log"
Debug: run_dir = "/var/run"
Debug: libdir = "/usr/lib/freeradius2"
Debug: radacctdir = "/var/db/radacct"
Debug: hostname_lookups = no
Debug: max_request_time = 30
Debug: cleanup_delay = 5
Debug: max_requests = 2048
Debug: pidfile = "/var/run/radiusd.pid"
Debug: checkrad = "/usr/sbin/checkrad"
Debug: debug_level = 0
Debug: proxy_requests = yes
Debug: log {
Debug: stripped_names = no
Debug: auth = no
Debug: auth_badpass = no
Debug: auth_goodpass = no
Debug: }
Debug: }
Debug: radiusd: #### Loading Realms and Home Servers ####
Debug: radiusd: #### Loading Clients ####
Debug: client localhost {
Debug: ipaddr = 127.0.0.1
Debug: require_message_authenticator = yes
Debug: secret = "*removed1*"
Debug: nastype = "other"
Debug: }
Debug: radiusd: #### Instantiating modules ####
Debug: radiusd: #### Loading Virtual Servers ####
Debug: server { # from file ?4?wXj
Debug: modules {
Debug: Module: Checking authenticate {...} for more modules to load
Debug: (Loaded rlm_eap, checking if it's valid)
Debug: Module: Linked to module rlm_eap
Debug: Module: Instantiating module "eap" from file /etc/freeradius2/eap.conf
Debug: eap {
Debug: default_eap_type = "tls"
Debug: timer_expire = 60
Debug: ignore_unknown_eap_types = no
Debug: cisco_accounting_username_bug = no
Debug: max_sessions = 2048
Debug: }
Debug: Module: Linked to sub-module rlm_eap_tls
Debug: Module: Instantiating eap-tls
Debug: tls {
Debug: rsa_key_exchange = no
Debug: dh_key_exchange = yes
Debug: rsa_key_length = 512
Debug: dh_key_length = 512
Debug: verify_depth = 0
Debug: pem_file_type = yes
Debug: private_key_file = "/etc/freeradius2/certs/server.key"
Debug: certificate_file = "/etc/freeradius2/certs/server.crt"
Debug: CA_file = "/etc/freeradius2/certs/ca.pem"
Debug: dh_file = "/etc/freeradius2/certs/dh"
Debug: fragment_size = 1024
Debug: include_length = yes
Debug: check_crl = no
Debug: ecdh_curve = "prime256v1"
Debug: }
Debug: Module: Checking authorize {...} for more modules to load
Debug: } # modules
Debug: } # server
Debug: radiusd: #### Opening IP addresses and Ports ####
Debug: listen {
Debug: type = "auth"
Debug: ipaddr = 127.0.0.1
Debug: port = 0
Debug: }
Debug: Listening on authentication address 127.0.0.1 port 1812
Debug: Listening on proxy address * port 1104
Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 51343, id=22,
length=205
User-Name = "*removed2*"
Called-Station-Id = "*removed3*"
NAS-Port-Type = Wireless-802.11
NAS-Port = 2
Calling-Station-Id = "*removed4*"
Connect-Info = "CONNECT 54Mbps 802.11a"
Acct-Session-Id = "542D9EF5-0000004F"
Framed-MTU = 1400
EAP-Message = 0x024700110162726f6e7468696e6b706164
Message-Authenticator = 0x7e8c00ff349e844a25b649a660222938
Info: # Executing section authorize from file /etc/freeradius2/sites/default
Info: +group authorize {
Info: [eap] EAP packet type response id 71 length 17
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] = updated
Info: +} # group authorize = updated
Info: Found Auth-Type = EAP
Info: # Executing group from file /etc/freeradius2/sites/default
Info: +group authenticate {
Info: [eap] EAP Identity
Info: [eap] processing type tls
Info: [tls] Requiring client certificate
Info: [tls] Initiate
Info: [tls] Start returned 1
Info: ++[eap] = handled
Info: +} # group authenticate = handled
Sending Access-Challenge of id 22 to 127.0.0.1 port 51343
EAP-Message = 0x014800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xafea1117afa21cb71a84ea873cb44d4b
Info: Finished request 0.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 51343, id=23,
length=324
User-Name = "*removed2*"
Called-Station-Id = "*removed3*"
NAS-Port-Type = Wireless-802.11
NAS-Port = 2
Calling-Station-Id = "*removed4*"
Connect-Info = "CONNECT 54Mbps 802.11a"
Acct-Session-Id = "542D9EF5-0000004F"
Framed-MTU = 1400
EAP-Message = 0x024800760d800000006c16030100670100006303015432d337768f888dfe17dc33835f35dd997aa21e12f03cacec5381488ea003f3000018c014c0130035002fc00ac00900380032000a00130005000401000022ff01000100000500050100000000000a0006000400170018000b0002010000230000
State = 0xafea1117afa21cb71a84ea873cb44d4b
Message-Authenticator = 0xa8307e6d117840db9b85cd0c44938b91
Info: # Executing section authorize from file /etc/freeradius2/sites/default
Info: +group authorize {
Info: [eap] EAP packet type response id 72 length 118
Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Info: ++[eap] = updated
Info: +} # group authorize = updated
Info: Found Auth-Type = EAP
Info: # Executing group from file /etc/freeradius2/sites/default
Info: +group authenticate {
Info: [eap] Request found, released from the list
Info: [eap] EAP/tls
Info: [eap] processing type tls
Info: [tls] Authenticate
Info: [tls] processing EAP-TLS
Debug: TLS Length 108
Info: [tls] Length Included
Info: [tls] eaptls_verify returned 11
Info: [tls] (other): before/accept initialization
Info: [tls] TLS_accept: before/accept initialization
Info: [tls] <<< TLS 1.0 Handshake [length 0067], ClientHello
Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
Error: TLS Alert write:fatal:handshake failure
Error: TLS_accept: error in SSLv3 read client hello C
Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Debug: TLS receive handshake failed during operation
Info: [tls] eaptls_process returned 4
Info: [eap] Handler failed in EAP/tls
Info: [eap] Failed in EAP select
Info: ++[eap] = invalid
Info: +} # group authenticate = invalid
Info: Failed to authenticate the user.
Sending Access-Reject of id 23 to 127.0.0.1 port 51343
EAP-Message = 0x04480004
Message-Authenticator = 0x00000000000000000000000000000000
Info: Finished request 1.
Debug: Going to the next request
Debug: Waking up in 4.9 seconds.
Info: Cleaning up request 0 ID 22 with timestamp +40
Info: Cleaning up request 1 ID 23 with timestamp +40
Info: Ready to process requests.
More information about the Freeradius-Users
mailing list