First, a brief description of my setup. I'm using freeradius (v0.9.1) as backend AAA
to secure our wireless network. We're using eap-tls with the certificates, etc. The
setup was done per the guides out on the 'net. Works great, but...
I'm having trouble getting freeradius to interoperate with the "authenticate as
computer" option in Windows 2000/XP. It works as a user (once the login), but this
creates problems in that our login scripts and other useful things don't run because
the network interface isn't up yet. =( A classic chicken-and-egg problem. When
"authenticate as computer" is checked in the windows authentication tab, Windows tries
to do an "Authenticate-only" service type (see freeradius log capture below). The
certificate exchange never gets initiated. After repeated cyles authentication
requests, the client gives up and doesn't connect. Note, I initially thought the
funny user-name (host/dtc) was to blame but I manually entered the same username when
logged in and that worked like a charm!
So, my question is has anyone found a workaround for this and if so can they provide
me with some details? I realize the problem is likely with Windows violating some
standard, but of course the perception will be a Linux/Freeradius problem by those
above me. It will chap my hide resort to using a Windows/ISA implementation... Any
assistance will be greatly appreciated.
Log capture follows. I've only put in the interesting bits for brevity, the pattern
repeats about 20 times before it gives up...
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 172.20.162.223:1183, id=138, length=164
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0252000d01686f73742f647463
Message-Authenticator = 0x431996dc5a278e1a2bbec47424a6b6b3
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 82 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 82 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 138 to 172.20.162.223:1183
EAP-Message = 0x015300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 138 with timestamp 401ff6db
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.162.223:1184, id=139, length=202
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
State =
0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x0254000d01686f73742f647463
Message-Authenticator = 0x50cb5e7f047adcfd1fc33d9123402245
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 84 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 84 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 139 to 172.20.162.223:1184
EAP-Message = 0x015500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xbbbcdb8364abbbff307d2a9046748d63f9f61f4067c560bc45bbac039de3866208164730
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 139 with timestamp 401ff6f9
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.162.223:1186, id=140, length=164
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0257000d01686f73742f647463
Message-Authenticator = 0xa65e73d758f53af805eb7d0a1c47ba46
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 87 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: list_clean deleted one item
rlm_eap: list_clean deleted one item
rlm_eap: EAP packet type notification id 87 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 140 to 172.20.162.223:1186
EAP-Message = 0x015800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 140 with timestamp 401ff7cd
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.162.223:1187, id=141, length=202
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
State =
0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x0259000d01686f73742f647463
Message-Authenticator = 0x12e40096ceef66957cb798b9ca626cde
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 89 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 89 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 141 to 172.20.162.223:1187
EAP-Message = 0x015a00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x2b5908dbb4d23207a4c3ae50849ef880ebf71f40c70bd2230104c11072a9a59ced6736a8
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 141 with timestamp 401ff7eb
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.162.223:1188, id=142, length=164
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x0202000d01686f73742f647463
Message-Authenticator = 0x11e0cb79817988fdf7ca364f59997be4
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 2 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: list_clean deleted one item
rlm_eap: list_clean deleted one item
rlm_eap: EAP packet type notification id 2 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 142 to 172.20.162.223:1188
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 142 with timestamp 401ff876
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.162.223:1189, id=143, length=202
User-Name = "host/dtc"
Cisco-AVPair = "ssid=RCDOgroupwn01"
NAS-IP-Address = 172.20.162.223
Called-Station-Id = "000c309426eb"
Calling-Station-Id = "000dbc7a8f75"
NAS-Identifier = "DTC-AP1200-NB01"
NAS-Port = 38
Framed-MTU = 1400
State =
0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message = 0x0204000d01686f73742f647463
Message-Authenticator = 0xb9cb3f98bbf671456645759bc7533abf
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_eap: EAP packet type notification id 4 length 13
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 66
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 4 length 13
rlm_eap: EAP Start not found
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75)
Sending Access-Challenge of id 143 to 172.20.162.223:1189
EAP-Message = 0x010500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x3ed631d08bb0b5f9503904318f7713ec94f81f40c195be6b10b2ef32236876fe033abea5
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
Owen L. Wieck
Network Administrator
Ricardo, Inc.
"Those who give up liberty for the sake of security deserve neither liberty nor
security."
--Ben Franklin
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
This e-mail and any files transmitted with it are confidential and intended solely for
the use of the individual or entity to whom they are addressed. If you have received
this email in error please notify the sender immediately and delete this e-mail from
your system. Please note that any views or opinions presented in this email are
solely those of the author and do not necessarily represent those of Ricardo (save for
reports and other documentation formally approved and signed for release to the
intended recipient). Only Directors or Duly Authorised Officers are authorised to
enter into legally binding obligations on behalf of Ricardo unless the obligation is
contained within a Ricardo Purchase Order. Ricardo may monitor outgoing and incoming
e-mails and other telecommunications on its e-mail and telecommunications systems.
By replying to this e-mail you give your consent to such monitoring. The recipient
should check this email and any attachments for the presence of viruses. Ricardo
accepts no liability for any damage caused by any virus transmitted by this email.
'Ricardo' means Ricardo Plc and its subsidiary companies.
Ricardo plc is a public limited company registered in England with registered number
00222915. The registered office of Ricardo plc is Bridge Works, Shoreham-by-Sea, West
Sussex, BN43 5FG.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
