Take a look in your Certificates MMC for the Local Computer account. If you don't have a certificate in the "personal" section, what you're trying to do won't work. In other words, the machine itself has to have a certificate as well if you want the wireless interface to come up before you actually login to the machine. Also, you have to make sure that the root CA cert is in the Trusted Root CA section for the computer account. Otherwise, the 802.1x client will be unable to verify the authenticity of the network and will refuse to connect.
--MIke On Tue, 2004-02-03 at 14:41, Wieck, Owen wrote: > First, a brief description of my setup. I'm using freeradius (v0.9.1) as backend > AAA to secure our wireless network. We're using eap-tls with the certificates, etc. > The setup was done per the guides out on the 'net. Works great, but... > > I'm having trouble getting freeradius to interoperate with the "authenticate as > computer" option in Windows 2000/XP. It works as a user (once the login), but this > creates problems in that our login scripts and other useful things don't run because > the network interface isn't up yet. =( A classic chicken-and-egg problem. When > "authenticate as computer" is checked in the windows authentication tab, Windows > tries to do an "Authenticate-only" service type (see freeradius log capture below). > The certificate exchange never gets initiated. After repeated cyles authentication > requests, the client gives up and doesn't connect. Note, I initially thought the > funny user-name (host/dtc) was to blame but I manually entered the same username > when logged in and that worked like a charm! > > So, my question is has anyone found a workaround for this and if so can they provide > me with some details? I realize the problem is likely with Windows violating some > standard, but of course the perception will be a Linux/Freeradius problem by those > above me. It will chap my hide resort to using a Windows/ISA implementation... Any > assistance will be greatly appreciated. > > Log capture follows. I've only put in the interesting bits for brevity, the pattern > repeats about 20 times before it gives up... > > Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. > Ready to process requests. > rad_recv: Access-Request packet from host 172.20.162.223:1183, id=138, length=164 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = 0x0252000d01686f73742f647463 > Message-Authenticator = 0x431996dc5a278e1a2bbec47424a6b6b3 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 82 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: EAP packet type notification id 82 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 138 to 172.20.162.223:1183 > EAP-Message = 0x015300060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 138 with timestamp 401ff6db > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 172.20.162.223:1184, id=139, length=202 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > State = > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4579b0e964d30 > NAS-Port-Type = Wireless-802.11 > Service-Type = Authenticate-Only > EAP-Message = 0x0254000d01686f73742f647463 > Message-Authenticator = 0x50cb5e7f047adcfd1fc33d9123402245 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 84 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: EAP packet type notification id 84 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 139 to 172.20.162.223:1184 > EAP-Message = 0x015500060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0xbbbcdb8364abbbff307d2a9046748d63f9f61f4067c560bc45bbac039de3866208164730 > Finished request 1 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 1 ID 139 with timestamp 401ff6f9 > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 172.20.162.223:1186, id=140, length=164 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = 0x0257000d01686f73742f647463 > Message-Authenticator = 0xa65e73d758f53af805eb7d0a1c47ba46 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 87 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: list_clean deleted one item > rlm_eap: list_clean deleted one item > rlm_eap: EAP packet type notification id 87 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 140 to 172.20.162.223:1186 > EAP-Message = 0x015800060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf > Finished request 2 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 2 ID 140 with timestamp 401ff7cd > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 172.20.162.223:1187, id=141, length=202 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > State = > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4efea57e3e3bf > NAS-Port-Type = Wireless-802.11 > Service-Type = Authenticate-Only > EAP-Message = 0x0259000d01686f73742f647463 > Message-Authenticator = 0x12e40096ceef66957cb798b9ca626cde > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 89 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: EAP packet type notification id 89 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 141 to 172.20.162.223:1187 > EAP-Message = 0x015a00060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0x2b5908dbb4d23207a4c3ae50849ef880ebf71f40c70bd2230104c11072a9a59ced6736a8 > Finished request 3 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 3 ID 141 with timestamp 401ff7eb > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 172.20.162.223:1188, id=142, length=164 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > Service-Type = Login-User > EAP-Message = 0x0202000d01686f73742f647463 > Message-Authenticator = 0x11e0cb79817988fdf7ca364f59997be4 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 2 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: list_clean deleted one item > rlm_eap: list_clean deleted one item > rlm_eap: EAP packet type notification id 2 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 142 to 172.20.162.223:1188 > EAP-Message = 0x010300060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7 > Finished request 4 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 4 ID 142 with timestamp 401ff876 > Nothing to do. Sleeping until we see a request. > rad_recv: Access-Request packet from host 172.20.162.223:1189, id=143, length=202 > User-Name = "host/dtc" > Cisco-AVPair = "ssid=RCDOgroupwn01" > NAS-IP-Address = 172.20.162.223 > Called-Station-Id = "000c309426eb" > Calling-Station-Id = "000dbc7a8f75" > NAS-Identifier = "DTC-AP1200-NB01" > NAS-Port = 38 > Framed-MTU = 1400 > State = > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30e44ad983acd7 > NAS-Port-Type = Wireless-802.11 > Service-Type = Authenticate-Only > EAP-Message = 0x0204000d01686f73742f647463 > Message-Authenticator = 0xb9cb3f98bbf671456645759bc7533abf > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_eap: EAP packet type notification id 4 length 13 > rlm_eap: EAP Start not found > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "host/dtc", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop > users: Matched DEFAULT at 66 > modcall[authorize]: module "files" returns ok > modcall[authorize]: module "mschap" returns noop > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: EAP packet type notification id 4 length 13 > rlm_eap: EAP Start not found > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > Sending Access-Challenge of id 143 to 172.20.162.223:1189 > EAP-Message = 0x010500060d20 > Message-Authenticator = 0x00000000000000000000000000000000 > State = > 0x3ed631d08bb0b5f9503904318f7713ec94f81f40c195be6b10b2ef32236876fe033abea5 > Finished request 5 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > > Owen L. Wieck > Network Administrator > Ricardo, Inc. > > "Those who give up liberty for the sake of security deserve neither liberty nor > security." > --Ben Franklin > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > This e-mail and any files transmitted with it are confidential and intended solely > for the use of the individual or entity to whom they are addressed. If you have > received this email in error please notify the sender immediately and delete this > e-mail from your system. Please note that any views or opinions presented in this > email are solely those of the author and do not necessarily represent those of > Ricardo (save for reports and other documentation formally approved and signed for > release to the intended recipient). Only Directors or Duly Authorised Officers are > authorised to enter into legally binding obligations on behalf of Ricardo unless the > obligation is contained within a Ricardo Purchase Order. Ricardo may monitor > outgoing and incoming e-mails and other telecommunications on its e-mail and > telecommunications systems. > By replying to this e-mail you give your consent to such monitoring. The recipient > should check this email and any attachments for the presence of viruses. Ricardo > accepts no liability for any damage caused by any virus transmitted by this email. > 'Ricardo' means Ricardo Plc and its subsidiary companies. > > Ricardo plc is a public limited company registered in England with registered number > 00222915. The registered office of Ricardo plc is Bridge Works, Shoreham-by-Sea, > West Sussex, BN43 5FG. > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike ----------------------------------- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
