mschap configuration problem

Wed Jul 15 10:27:19 CEST 2020

Ibrahim AKSIT ha scritto il 14/07/20 alle 21:30:
> Hello dear there all,
> Regarding the Windows TLS issue I have used the tool on
> https://www.nartac.com/Products/IISCrypto/ site and restart it. Everything
> worked like a charm.
> Hope this is going to work for you as well.
> Have a great day.
Thank you very much indeed!

IISCrypto say it is compatible with "Windows Server 2008, 2012, 2016 and 
2019" but more over I can even read "IIS Crypto updates the registry 
using the same settings from this article[¹] by Microsoft.". The MS 
article says that the registry settings found on the article are 
compatible with "Microsoft Windows Server 2003, Enterprise Edition 
(32-bit x86), Microsoft Windows Server 2003 Standard Edition (32-bit 
x86), Microsoft Windows Server 2003 Web Edition, Microsoft Windows XP 
Professional, Microsoft Windows XP Home Edition". I can't find win7... 
any way I have run it on a win7 client: all settings seems to be checked 
so all protocols seems to be supported until TLS 1.2 and SSL 3.0.
I have selected the best practices template that disable old protocols, 
I have selected all protocols even old ones, applyed and rebooted the 
win7 client but nothing changed but the fails log are ever the same:
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (4)   authenticate {
> (4) eap: Expiring EAP session with state 0xbe242a7dbdc83389
> (4) eap: Finished EAP session with state 0xbe242a7dbdc83389
> (4) eap: Previous EAP request found for state 0xbe242a7dbdc83389, released from the list
> (4) eap: Peer sent packet with method EAP PEAP (25)
> (4) eap: Calling submodule eap_peap to process data
> (4) eap_peap: Continuing EAP-TLS
> (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> (4) eap_peap: Got complete TLS record (7 bytes)
> (4) eap_peap: [eaptls verify] = length included
> (4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca 
> (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (4) eap_peap: TLS_accept: Need to read more data: error
> (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
> (4) eap_peap: In SSL Handshake Phase
> (4) eap_peap: In SSL Accept mode
> (4) eap_peap: SSL Application Data
> (4) eap_peap: ERROR: TLS failed during operation
> (4) eap_peap: ERROR: [eaptls process] = fail
> (4) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
> (4) eap: Sending EAP Failure (code 4) ID 236 length 4
> (4) eap: Failed in EAP select
> (4)     [eap] = invalid
> (4)   } # authenticate = invalid

I have tried to run IISCrypto to a win10 client but the protocols 
supported seems to be the same...

I'm very confused... :?

Piviul

[¹] 
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc