Hi,
just to give an update on my efforts to make XP SP3 work with EAP-TLS.
Machine based EAP-TLS authentification works for WIRED connections fine,
as I wrote in the last mail. BUT that doesn't mean that it works for
wireless connections. :-) Before SP3 there wasn't a problem with that,
with this alphaversion of service pack, it's not working.
First of all, the things you need to do with the network-adapters
profiles, using the netsh command aren't working in XP with wlan
profiles, simply because the netsh command doesn't know "netsh wlan ..."
(you get an error), Vista knows that context, XP SP3 not. So there is a
Freeware utility zwlancfg here
http://www.engl.co.uk/products/zwlancfg/index.html
Get that and you can export and import the wlan profiles. But setting
the authentification to
<authMode>machine</authMode>
as with wired connections, won't work. You always get a "no certificate
found" error (the cert which is ok for wired connections!) and no
connection.
If the tool zwlancfg is setting up the connection manually, you get an
"illegal authmode" error. So you need to have setup the connection to an
machineOrUser authmode. It seems there is no machine authmode in XP SP3
anymore.
As written by MS here: http://msdn.microsoft.com/en-us/library/ms706279.aspx
"This element is optional. When authMode is not specified in a profile,
a value of |machineOrUser| is used. *Windows XP with SP3 and Wireless
LAN API for Windows XP with SP2: *This element will be ignored if it is
present in a profile"
But stop! It's not that easy. :-) Because it's Microsoft, it always
works a little, but never 100%. If no user is logged in (=
Loginscreen), the connection is established (seen in the Radius log). If
a user logs in, the connection is dropped and you get a "no cert" error.
If the machine cert is included in the users context, using the
cert-mgr, the connection is again established. So I have to install the
machine cert for each user, which will login into the computer. And,
hey, did I say that machine based EAP-TLS auth via WLAN worked in SP2,
despite the MS information?
It's definately not an Freeradius problem, but most people will look
here to solve the problem. After a lot of googleing I found, that I must
be the only one with that combination and problems.
So SP3 haters, unite! :-) And stay with SP2. And no, I won't buy Vista!
I'll post my solution here either. If someone likes to give me a hint,
I'll be happy.
cu
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
