First, a brief description of my setup. I'm using freeradius (v0.9.1) as backend AAA to secure our wireless network. We're using eap-tls with the certificates, etc. The setup was done per the guides out on the 'net. Works great, but...
I'm having trouble getting freeradius to interoperate with the "authenticate as computer" option in Windows 2000/XP. It works as a user (once the login), but this creates problems in that our login scripts and other useful things don't run because the network interface isn't up yet. =( A classic chicken-and-egg problem. When "authenticate as computer" is checked in the windows authentication tab, Windows tries to do an "Authenticate-only" service type (see freeradius log capture below). The certificate exchange never gets initiated. After repeated cyles authentication requests, the client gives up and doesn't connect. Note, I initially thought the funny user-name (host/dtc) was to blame but I manually entered the same username when logged in and that worked like a charm! So, my question is has anyone found a workaround for this and if so can they provide me with some details? I realize the problem is likely with Windows violating some standard, but of course the perception will be a Linux/Freeradius problem by those above me. It will chap my hide resort to using a Windows/ISA implementation... Any assistance will be greatly appreciated. Log capture follows. I've only put in the interesting bits for brevity, the pattern repeats about 20 times before it gives up... Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 172.20.162.223:1183, id=138, length=164 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0252000d01686f73742f647463 Message-Authenticator = 0x431996dc5a278e1a2bbec47424a6b6b3 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 82 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 82 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 138 to 172.20.162.223:1183 EAP-Message = 0x015300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 138 with timestamp 401ff6db Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.162.223:1184, id=139, length=202 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 State = 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30 NAS-Port-Type = Wireless-802.11 Service-Type = Authenticate-Only EAP-Message = 0x0254000d01686f73742f647463 Message-Authenticator = 0x50cb5e7f047adcfd1fc33d9123402245 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 84 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 84 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 139 to 172.20.162.223:1184 EAP-Message = 0x015500060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbbbcdb8364abbbff307d2a9046748d63f9f61f4067c560bc45bbac039de3866208164730 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 139 with timestamp 401ff6f9 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.162.223:1186, id=140, length=164 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0257000d01686f73742f647463 Message-Authenticator = 0xa65e73d758f53af805eb7d0a1c47ba46 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 87 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: list_clean deleted one item rlm_eap: list_clean deleted one item rlm_eap: EAP packet type notification id 87 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 140 to 172.20.162.223:1186 EAP-Message = 0x015800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 140 with timestamp 401ff7cd Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.162.223:1187, id=141, length=202 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 State = 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf NAS-Port-Type = Wireless-802.11 Service-Type = Authenticate-Only EAP-Message = 0x0259000d01686f73742f647463 Message-Authenticator = 0x12e40096ceef66957cb798b9ca626cde modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 89 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 89 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 141 to 172.20.162.223:1187 EAP-Message = 0x015a00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2b5908dbb4d23207a4c3ae50849ef880ebf71f40c70bd2230104c11072a9a59ced6736a8 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 141 with timestamp 401ff7eb Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.162.223:1188, id=142, length=164 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x0202000d01686f73742f647463 Message-Authenticator = 0x11e0cb79817988fdf7ca364f59997be4 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: list_clean deleted one item rlm_eap: list_clean deleted one item rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 142 to 172.20.162.223:1188 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 142 with timestamp 401ff876 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.20.162.223:1189, id=143, length=202 User-Name = "host/dtc" Cisco-AVPair = "ssid=RCDOgroupwn01" NAS-IP-Address = 172.20.162.223 Called-Station-Id = "000c309426eb" Calling-Station-Id = "000dbc7a8f75" NAS-Identifier = "DTC-AP1200-NB01" NAS-Port = 38 Framed-MTU = 1400 State = 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7 NAS-Port-Type = Wireless-802.11 Service-Type = Authenticate-Only EAP-Message = 0x0204000d01686f73742f647463 Message-Authenticator = 0xb9cb3f98bbf671456645759bc7533abf modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 4 length 13 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 66 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 4 length 13 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) Sending Access-Challenge of id 143 to 172.20.162.223:1189 EAP-Message = 0x010500060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3ed631d08bb0b5f9503904318f7713ec94f81f40c195be6b10b2ef32236876fe033abea5 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... Owen L. Wieck Network Administrator Ricardo, Inc. "Those who give up liberty for the sake of security deserve neither liberty nor security." --Ben Franklin - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors or Duly Authorised Officers are authorised to enter into legally binding obligations on behalf of Ricardo unless the obligation is contained within a Ricardo Purchase Order. Ricardo may monitor outgoing and incoming e-mails and other telecommunications on its e-mail and telecommunications systems. By replying to this e-mail you give your consent to such monitoring. The recipient should check this email and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this email. 'Ricardo' means Ricardo Plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Bridge Works, Shoreham-by-Sea, West Sussex, BN43 5FG. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html