Thanks for the quick response. Yes to both questions. The CA cert is in the Trusted Root section and the client cert is in the personal section for the "local computer". There are a few reg keys that can be twiddled to determine under what circumstances the Windows wireless client will re-authenticate, but I'm not even getting that far. Under my current configuration, when I log in as a user (with the client cert installed) the exchange is successful and the connection comes up after the user logs in.
Has anyone gotten the "local computer" connection to work? I'm curious if I'm p***ing in the wind here... Owen L. Wieck Senior Network Administrator Ricardo, Inc. "Those who give up liberty for the sake of security deserve neither liberty nor security." --Ben Franklin > -----Original Message----- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 03, 2004 4:08 PM > To: [EMAIL PROTECTED] > Subject: Re: Problem with machine authentication on Windows 2000 > usingfreeradius, eap-tls, wireless > > > Take a look in your Certificates MMC for the Local Computer > account. If > you don't have a certificate in the "personal" section, what you're > trying to do won't work. In other words, the machine itself > has to have > a certificate as well if you want the wireless interface to come up > before you actually login to the machine. Also, you have to make sure > that the root CA cert is in the Trusted Root CA section for > the computer > account. Otherwise, the 802.1x client will be unable to verify the > authenticity of the network and will refuse to connect. > > --MIke > > > On Tue, 2004-02-03 at 14:41, Wieck, Owen wrote: > > First, a brief description of my setup. I'm using > freeradius (v0.9.1) as backend AAA to secure our wireless > network. We're using eap-tls with the certificates, etc. > The setup was done per the guides out on the 'net. Works > great, but... > > > > I'm having trouble getting freeradius to interoperate with > the "authenticate as computer" option in Windows 2000/XP. It > works as a user (once the login), but this creates problems > in that our login scripts and other useful things don't run > because the network interface isn't up yet. =( A classic > chicken-and-egg problem. When "authenticate as computer" is > checked in the windows authentication tab, Windows tries to > do an "Authenticate-only" service type (see freeradius log > capture below). The certificate exchange never gets > initiated. After repeated cyles authentication requests, the > client gives up and doesn't connect. Note, I initially > thought the funny user-name (host/dtc) was to blame but I > manually entered the same username when logged in and that > worked like a charm! > > > > So, my question is has anyone found a workaround for this > and if so can they provide me with some details? I realize > the problem is likely with Windows violating some standard, > but of course the perception will be a Linux/Freeradius > problem by those above me. It will chap my hide resort to > using a Windows/ISA implementation... Any assistance will be > greatly appreciated. > > > > Log capture follows. I've only put in the interesting bits > for brevity, the pattern repeats about 20 times before it gives up... > > > > Listening on IP address *, ports 1812/udp and 1813/udp, > with proxy on 1814/udp. > > Ready to process requests. > > rad_recv: Access-Request packet from host > 172.20.162.223:1183, id=138, length=164 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Login-User > > EAP-Message = 0x0252000d01686f73742f647463 > > Message-Authenticator = 0x431996dc5a278e1a2bbec47424a6b6b3 > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 82 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: EAP packet type notification id 82 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 138 to 172.20.162.223:1183 > > EAP-Message = 0x015300060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4 > 579b0e964d30 > > Finished request 0 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 0 ID 138 with timestamp 401ff6db > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host > 172.20.162.223:1184, id=139, length=202 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > State = > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4 > 579b0e964d30 > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Authenticate-Only > > EAP-Message = 0x0254000d01686f73742f647463 > > Message-Authenticator = 0x50cb5e7f047adcfd1fc33d9123402245 > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 84 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: EAP packet type notification id 84 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 139 to 172.20.162.223:1184 > > EAP-Message = 0x015500060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0xbbbcdb8364abbbff307d2a9046748d63f9f61f4067c560bc45bbac039de3 > 866208164730 > > Finished request 1 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 1 ID 139 with timestamp 401ff6f9 > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host > 172.20.162.223:1186, id=140, length=164 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Login-User > > EAP-Message = 0x0257000d01686f73742f647463 > > Message-Authenticator = 0xa65e73d758f53af805eb7d0a1c47ba46 > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 87 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: list_clean deleted one item > > rlm_eap: list_clean deleted one item > > rlm_eap: EAP packet type notification id 87 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 140 to 172.20.162.223:1186 > > EAP-Message = 0x015800060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4 > efea57e3e3bf > > Finished request 2 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 2 ID 140 with timestamp 401ff7cd > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host > 172.20.162.223:1187, id=141, length=202 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > State = > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4 > efea57e3e3bf > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Authenticate-Only > > EAP-Message = 0x0259000d01686f73742f647463 > > Message-Authenticator = 0x12e40096ceef66957cb798b9ca626cde > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 89 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: EAP packet type notification id 89 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 141 to 172.20.162.223:1187 > > EAP-Message = 0x015a00060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0x2b5908dbb4d23207a4c3ae50849ef880ebf71f40c70bd2230104c11072a9 > a59ced6736a8 > > Finished request 3 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 3 ID 141 with timestamp 401ff7eb > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host > 172.20.162.223:1188, id=142, length=164 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Login-User > > EAP-Message = 0x0202000d01686f73742f647463 > > Message-Authenticator = 0x11e0cb79817988fdf7ca364f59997be4 > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 2 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: list_clean deleted one item > > rlm_eap: list_clean deleted one item > > rlm_eap: EAP packet type notification id 2 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 142 to 172.20.162.223:1188 > > EAP-Message = 0x010300060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30 > e44ad983acd7 > > Finished request 4 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > --- Walking the entire request list --- > > Cleaning up request 4 ID 142 with timestamp 401ff876 > > Nothing to do. Sleeping until we see a request. > > rad_recv: Access-Request packet from host > 172.20.162.223:1189, id=143, length=202 > > User-Name = "host/dtc" > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > NAS-IP-Address = 172.20.162.223 > > Called-Station-Id = "000c309426eb" > > Calling-Station-Id = "000dbc7a8f75" > > NAS-Identifier = "DTC-AP1200-NB01" > > NAS-Port = 38 > > Framed-MTU = 1400 > > State = > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30 > e44ad983acd7 > > NAS-Port-Type = Wireless-802.11 > > Service-Type = Authenticate-Only > > EAP-Message = 0x0204000d01686f73742f647463 > > Message-Authenticator = 0xb9cb3f98bbf671456645759bc7533abf > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "chap" returns noop > > rlm_eap: EAP packet type notification id 4 length 13 > > rlm_eap: EAP Start not found > > modcall[authorize]: module "eap" returns updated > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop > > users: Matched DEFAULT at 66 > > modcall[authorize]: module "files" returns ok > > modcall[authorize]: module "mschap" returns noop > > modcall: group authorize returns updated > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: EAP packet type notification id 4 length 13 > > rlm_eap: EAP Start not found > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > Sending Access-Challenge of id 143 to 172.20.162.223:1189 > > EAP-Message = 0x010500060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = > 0x3ed631d08bb0b5f9503904318f7713ec94f81f40c195be6b10b2ef322368 > 76fe033abea5 > > Finished request 5 > > Going to the next request > > --- Walking the entire request list --- > > Waking up in 6 seconds... > > > > Owen L. Wieck > > Network Administrator > > Ricardo, Inc. > > > > "Those who give up liberty for the sake of security deserve > neither liberty nor security." > > --Ben Franklin > > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - - - - - - - - - - - - - > > This e-mail and any files transmitted with it are > confidential and intended solely for the use of the > individual or entity to whom they are addressed. If you have > received this email in error please notify the sender > immediately and delete this e-mail from your system. Please > note that any views or opinions presented in this email are > solely those of the author and do not necessarily represent > those of Ricardo (save for reports and other documentation > formally approved and signed for release to the intended > recipient). Only Directors or Duly Authorised Officers are > authorised to enter into legally binding obligations on > behalf of Ricardo unless the obligation is contained within a > Ricardo Purchase Order. Ricardo may monitor outgoing and > incoming e-mails and other telecommunications on its e-mail > and telecommunications systems. > > By replying to this e-mail you give your consent to such > monitoring. The recipient should check this email and any > attachments for the presence of viruses. Ricardo accepts no > liability for any damage caused by any virus transmitted by > this email. 'Ricardo' means Ricardo Plc and its subsidiary companies. > > > > Ricardo plc is a public limited company registered in > England with registered number 00222915. The registered > office of Ricardo plc is Bridge Works, Shoreham-by-Sea, West > Sussex, BN43 5FG. > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - > - - - - - - - - - - - - - - - - - - - - - - > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- > > --Mike > > ----------------------------------- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
