EAP-TLS and Windows 10 fails for wireless

Thu Jun 9 23:30:52 CEST 2016

Hello everyone, 

I'm setting up a RADIUS server, and I've run into some trouble to authenticate a Windows 10 laptop via wireless. I got no reply to the 5th "Access-Challenge". 

I'm running freeradius-server 3.0.11 with customized demo certificates: 
I've integrated the certificate configuration changes from the branch 3.1.x, and also created a unencrypted key (.p12) for my Windows client. 

I've installed the root CA certificate (.der) and the client key (.p12) into the User's certificate store on the Windows client. 

During my troubleshooting, I've searched for other error reports for EAP-TLS & Windows:
* TLS version compatibility 
-> I've forced Windows to use TLS 1.2 (add DWORD TlsVersion register) (unnecessary but done). 
* 802.11 version compatibility 
-> I've tried both 802.11a+g mode and 802.11b+g+n mode on the access point. I've also noted that the Windows 10 laptop can connect when wireless encryption is disabled. 
* server certificate requirements 
-> Windows successfully authenticates in PEAP mode with the dummy "bob" user when "Verify server certificate" is checked in EAP-TLS parameters 
* root CA certificate requirements 
* user certificate requirement 
* user key requirement (no encryption) 
-> Windows successfully authenticate in EAP-TLS mode on the wired connection. 
So all certificates are correctly installed, and Windows can use the client's cert/key to authenticate. 

I've tried to get some debugging info with the command: 
netsh wlan set tra yes 
netsh ras set tr * en 
<connection attempt> 
netsh ras set tr * dis 
netsh wlan set tra no 

However I got a handful of files, which ones are relevant ? The only advice I got from them is to check TLS and 802.11 compatibility. 

Could someone kindly advise me to the next point ? 

Has anyone run into a similar problem ? 

Following is the failing connection log from freeradius-server: 

# radiusd -X 
[...] 
Server core libs: 
freeradius-server : 3.0.11 
talloc : 2.0.* 
ssl : 1.0.1j release 
pcre : 8.11 2010-12-10 
[...] tls { 
tls = "tls-common" 
} 
tls-config tls-common { 
verify_depth = 0 
ca_path = "/etc/freeradius2/certs" 
pem_file_type = yes 
private_key_file = "/etc/freeradius2/certs/server.key" 
certificate_file = "/etc/freeradius2/certs/server.pem" 
ca_file = "/etc/freeradius2/certs/ca.pem" 
private_key_password = <<< secret >>> 
dh_file = "/etc/freeradius2/certs/dh" 
fragment_size = 1024 
include_length = yes 
auto_chain = yes 
check_crl = no 
check_all_crl = no 
cipher_list = "DEFAULT" 
cache { 
enable = yes 
lifetime = 24 
max_entries = 255 
} 
verify { 
skip_if_ocsp_ok = no 
} 
ocsp { 
enable = no 
override_cert_url = yes 
url = "http://127.0.0.1/ocsp/" 
use_nonce = yes 
timeout = 0 
softfail = no 
} 
} 
[...] 
(33) Received Access-Request Id 42 from 10.1.1.2:32962 to 10.255.255.251:1812 length 163 
(33) User-Name = "eloi" 
(33) Called-Station-Id = "06-F0-21-11-27-D1:acksys" 
(33) NAS-Port-Type = Wireless-802.11 
(33) NAS-Port = 1 
(33) Calling-Station-Id = "24-77-03-1F-B6-78" 
(33) Connect-Info = "CONNECT 54Mbps 802.11a" 
(33) Acct-Session-Id = "5415B2E9-00000003" 
(33) Framed-MTU = 1400 
[...] 
(33) eap: Peer sent packet with method EAP Identity (1) 
(33) eap: Calling submodule eap_tls to process data 
(33) eap_tls: Initiating new EAP-TLS session 
(33) eap_tls: Setting verify mode to require certificate from client 
(33) eap_tls: [eaptls start] = request 
(33) eap: Sending EAP Request (code 1) ID 151 length 6 
(33) eap: EAP session adding &reply:State = 0xe01d52c2e08a5f27 
[...] 
(34) Received Access-Request Id 43 from 10.1.1.2:32962 to 10.255.255.251:1812 length 350 
[...] 
(34) eap: Peer sent EAP Response (code 2) ID 151 length 178 
[...] 
(34) eap: Peer sent packet with method EAP TLS (13) 
(34) eap: Calling submodule eap_tls to process data 
(34) eap_tls: Continuing EAP-TLS 
(34) eap_tls: Peer indicated complete TLS record size will be 168 bytes 
(34) eap_tls: Got complete TLS record (168 bytes) 
(34) eap_tls: [eaptls verify] = length included 
(34) eap_tls: (other): before/accept initialization 
(34) eap_tls: TLS_accept: before/accept initialization 
(34) eap_tls: <<< recv TLS 1.2 [length 00a3] 
(34) eap_tls: TLS_accept: SSLv3 read client hello A 
(34) eap_tls: >>> send TLS 1.2 [length 0051] 
(34) eap_tls: TLS_accept: SSLv3 write server hello A 
(34) eap_tls: >>> send TLS 1.2 [length 08d9] 
(34) eap_tls: TLS_accept: SSLv3 write certificate A 
(34) eap_tls: >>> send TLS 1.2 [length 030f] 
(34) eap_tls: TLS_accept: SSLv3 write key exchange A 
(34) eap_tls: >>> send TLS 1.2 [length 00ba] 
(34) eap_tls: TLS_accept: SSLv3 write certificate request A 
(34) eap_tls: TLS_accept: SSLv3 flush data 
(34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A 
(34) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A 
(34) eap_tls: In SSL Handshake Phase 
(34) eap_tls: In SSL Accept mode 
(34) eap_tls: [eaptls process] = handled 
(34) eap: Sending EAP Request (code 1) ID 152 length 1014 
(34) eap: EAP session adding &reply:State = 0xe01d52c2e1855f27 
[...] 
(34) Sent Access-Challenge Id 43 from 10.255.255.251:1812 to 10.1.1.2:32962 length 0 
[...] 
(35) Received Access-Request Id 44 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178
[...] 
(36) Received Access-Request Id 45 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 
[...] 
(37) Received Access-Request Id 46 from 10.1.1.2:32962 to 10.255.255.251:1812 length 178 
[...]
(38) Received Access-Request Id 0 from 10.1.1.2:41720 to 10.255.255.251:1812 length 163 
[...]
(39) Received Access-Request Id 1 from 10.1.1.2:41720 to 10.255.255.251:1812 length 350 
[...]
(39) eap: Expiring EAP session with state 0xe01d52c2e4865f27 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
!! EAP session with state 0xe01d52c2e4865f27 did not finish! !! 
!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !! 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

-- 
Lucile Quirion

Consultante en logiciels libres
Savoir-faire Linux
Tel: + 1 (514) 276 5468, ext. 312