> -----Original Message----- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 03, 2004 4:35 PM > To: [EMAIL PROTECTED] > Subject: RE: Problem with machine authentication on Windows > 2000usingfreeradius, eap-tls, wireless > > > Yup... I have... Works great.... Based on where you're > getting in the > authentication, it really looks like you don't have a proper > certificate > in the computer section... > > Oh... you're using Win2K... does the certificate CN match the machine > name? I discovered that Windows 2000 actually seems to > enforce that the > CN or subjAltName match the name of the machine (ie, NetBIOS name or > FQDN DNS name). > > --Mike
Ah, pits. That's probably it. I know for a fact my names don't match. I'll try generating a cert to make sure. I don't suppose there's a way to bypass that? Is it just a Win2k thing? > > > On Tue, 2004-02-03 at 15:30, Wieck, Owen wrote: > > Thanks for the quick response. Yes to both questions. The > CA cert is in the Trusted Root section and the client cert is > in the personal section for the "local computer". There are > a few reg keys that can be twiddled to determine under what > circumstances the Windows wireless client will > re-authenticate, but I'm not even getting that far. Under my > current configuration, when I log in as a user (with the > client cert installed) the exchange is successful and the > connection comes up after the user logs in. > > > > Has anyone gotten the "local computer" connection to work? > I'm curious if I'm p***ing in the wind here... > > > > Owen L. Wieck > > Senior Network Administrator > > Ricardo, Inc. > > > > "Those who give up liberty for the sake of security deserve > neither liberty nor security." > > --Ben Franklin > > > > > > > -----Original Message----- > > > From: Michael Griego [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, February 03, 2004 4:08 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: Problem with machine authentication on Windows 2000 > > > usingfreeradius, eap-tls, wireless > > > > > > > > > Take a look in your Certificates MMC for the Local Computer > > > account. If > > > you don't have a certificate in the "personal" section, > what you're > > > trying to do won't work. In other words, the machine itself > > > has to have > > > a certificate as well if you want the wireless interface > to come up > > > before you actually login to the machine. Also, you have > to make sure > > > that the root CA cert is in the Trusted Root CA section for > > > the computer > > > account. Otherwise, the 802.1x client will be unable to > verify the > > > authenticity of the network and will refuse to connect. > > > > > > --MIke > > > > > > > > > On Tue, 2004-02-03 at 14:41, Wieck, Owen wrote: > > > > First, a brief description of my setup. I'm using > > > freeradius (v0.9.1) as backend AAA to secure our wireless > > > network. We're using eap-tls with the certificates, etc. > > > The setup was done per the guides out on the 'net. Works > > > great, but... > > > > > > > > I'm having trouble getting freeradius to interoperate with > > > the "authenticate as computer" option in Windows 2000/XP. It > > > works as a user (once the login), but this creates problems > > > in that our login scripts and other useful things don't run > > > because the network interface isn't up yet. =( A classic > > > chicken-and-egg problem. When "authenticate as computer" is > > > checked in the windows authentication tab, Windows tries to > > > do an "Authenticate-only" service type (see freeradius log > > > capture below). The certificate exchange never gets > > > initiated. After repeated cyles authentication requests, the > > > client gives up and doesn't connect. Note, I initially > > > thought the funny user-name (host/dtc) was to blame but I > > > manually entered the same username when logged in and that > > > worked like a charm! > > > > > > > > So, my question is has anyone found a workaround for this > > > and if so can they provide me with some details? I realize > > > the problem is likely with Windows violating some standard, > > > but of course the perception will be a Linux/Freeradius > > > problem by those above me. It will chap my hide resort to > > > using a Windows/ISA implementation... Any assistance will be > > > greatly appreciated. > > > > > > > > Log capture follows. I've only put in the interesting bits > > > for brevity, the pattern repeats about 20 times before it > gives up... > > > > > > > > Listening on IP address *, ports 1812/udp and 1813/udp, > > > with proxy on 1814/udp. > > > > Ready to process requests. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1183, id=138, length=164 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Login-User > > > > EAP-Message = 0x0252000d01686f73742f647463 > > > > Message-Authenticator = > 0x431996dc5a278e1a2bbec47424a6b6b3 > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 82 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: EAP packet type notification id 82 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 138 to 172.20.162.223:1183 > > > > EAP-Message = 0x015300060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4 > > > 579b0e964d30 > > > > Finished request 0 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > --- Walking the entire request list --- > > > > Cleaning up request 0 ID 138 with timestamp 401ff6db > > > > Nothing to do. Sleeping until we see a request. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1184, id=139, length=202 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > State = > > > 0xdf2f265c0f0274e481ea5f5c4b0a2d49dbf61f40f29b84c263b84393a8c4 > > > 579b0e964d30 > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Authenticate-Only > > > > EAP-Message = 0x0254000d01686f73742f647463 > > > > Message-Authenticator = > 0x50cb5e7f047adcfd1fc33d9123402245 > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 84 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: EAP packet type notification id 84 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 139 to 172.20.162.223:1184 > > > > EAP-Message = 0x015500060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0xbbbcdb8364abbbff307d2a9046748d63f9f61f4067c560bc45bbac039de3 > > > 866208164730 > > > > Finished request 1 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > --- Walking the entire request list --- > > > > Cleaning up request 1 ID 139 with timestamp 401ff6f9 > > > > Nothing to do. Sleeping until we see a request. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1186, id=140, length=164 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Login-User > > > > EAP-Message = 0x0257000d01686f73742f647463 > > > > Message-Authenticator = > 0xa65e73d758f53af805eb7d0a1c47ba46 > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 87 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: list_clean deleted one item > > > > rlm_eap: list_clean deleted one item > > > > rlm_eap: EAP packet type notification id 87 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 140 to 172.20.162.223:1186 > > > > EAP-Message = 0x015800060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4 > > > efea57e3e3bf > > > > Finished request 2 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > --- Walking the entire request list --- > > > > Cleaning up request 2 ID 140 with timestamp 401ff7cd > > > > Nothing to do. Sleeping until we see a request. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1187, id=141, length=202 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > State = > > > 0xab0be15b25e57f3bac11b093b5d4f4b3cdf71f4002b4fef93e7b0b041ec4 > > > efea57e3e3bf > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Authenticate-Only > > > > EAP-Message = 0x0259000d01686f73742f647463 > > > > Message-Authenticator = > 0x12e40096ceef66957cb798b9ca626cde > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 89 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: EAP packet type notification id 89 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 141 to 172.20.162.223:1187 > > > > EAP-Message = 0x015a00060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0x2b5908dbb4d23207a4c3ae50849ef880ebf71f40c70bd2230104c11072a9 > > > a59ced6736a8 > > > > Finished request 3 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > --- Walking the entire request list --- > > > > Cleaning up request 3 ID 141 with timestamp 401ff7eb > > > > Nothing to do. Sleeping until we see a request. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1188, id=142, length=164 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Login-User > > > > EAP-Message = 0x0202000d01686f73742f647463 > > > > Message-Authenticator = > 0x11e0cb79817988fdf7ca364f59997be4 > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 2 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: list_clean deleted one item > > > > rlm_eap: list_clean deleted one item > > > > rlm_eap: EAP packet type notification id 2 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 142 to 172.20.162.223:1188 > > > > EAP-Message = 0x010300060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30 > > > e44ad983acd7 > > > > Finished request 4 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > --- Walking the entire request list --- > > > > Cleaning up request 4 ID 142 with timestamp 401ff876 > > > > Nothing to do. Sleeping until we see a request. > > > > rad_recv: Access-Request packet from host > > > 172.20.162.223:1189, id=143, length=202 > > > > User-Name = "host/dtc" > > > > Cisco-AVPair = "ssid=RCDOgroupwn01" > > > > NAS-IP-Address = 172.20.162.223 > > > > Called-Station-Id = "000c309426eb" > > > > Calling-Station-Id = "000dbc7a8f75" > > > > NAS-Identifier = "DTC-AP1200-NB01" > > > > NAS-Port = 38 > > > > Framed-MTU = 1400 > > > > State = > > > 0x4767724bb96d1fdd57b36352a38f1c6876f81f400621311e5712eed8ca30 > > > e44ad983acd7 > > > > NAS-Port-Type = Wireless-802.11 > > > > Service-Type = Authenticate-Only > > > > EAP-Message = 0x0204000d01686f73742f647463 > > > > Message-Authenticator = > 0xb9cb3f98bbf671456645759bc7533abf > > > > modcall: entering group authorize > > > > modcall[authorize]: module "preprocess" returns ok > > > > modcall[authorize]: module "chap" returns noop > > > > rlm_eap: EAP packet type notification id 4 length 13 > > > > rlm_eap: EAP Start not found > > > > modcall[authorize]: module "eap" returns updated > > > > rlm_realm: No '@' in User-Name = "host/dtc", looking up > > > realm NULL > > > > rlm_realm: No such realm "NULL" > > > > modcall[authorize]: module "suffix" returns noop > > > > users: Matched DEFAULT at 66 > > > > modcall[authorize]: module "files" returns ok > > > > modcall[authorize]: module "mschap" returns noop > > > > modcall: group authorize returns updated > > > > rad_check_password: Found Auth-Type EAP > > > > auth: type "EAP" > > > > modcall: entering group authenticate > > > > rlm_eap: EAP packet type notification id 4 length 13 > > > > rlm_eap: EAP Start not found > > > > rlm_eap: EAP Identity > > > > rlm_eap: processing type tls > > > > rlm_eap_tls: Initiate > > > > rlm_eap_tls: Start returned 1 > > > > modcall[authenticate]: module "eap" returns ok > > > > modcall: group authenticate returns ok > > > > Login OK: [host/dtc] (from client Rinc port 38 cli 000dbc7a8f75) > > > > Sending Access-Challenge of id 143 to 172.20.162.223:1189 > > > > EAP-Message = 0x010500060d20 > > > > Message-Authenticator = > 0x00000000000000000000000000000000 > > > > State = > > > 0x3ed631d08bb0b5f9503904318f7713ec94f81f40c195be6b10b2ef322368 > > > 76fe033abea5 > > > > Finished request 5 > > > > Going to the next request > > > > --- Walking the entire request list --- > > > > Waking up in 6 seconds... > > > > > > > > Owen L. Wieck > > > > Network Administrator > > > > Ricardo, Inc. > > > > > > > > "Those who give up liberty for the sake of security deserve > > > neither liberty nor security." > > > > --Ben Franklin > > > > > > > > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > - - - - - - - - - - - - - - - - - - - - - - > > > > This e-mail and any files transmitted with it are > > > confidential and intended solely for the use of the > > > individual or entity to whom they are addressed. If you have > > > received this email in error please notify the sender > > > immediately and delete this e-mail from your system. Please > > > note that any views or opinions presented in this email are > > > solely those of the author and do not necessarily represent > > > those of Ricardo (save for reports and other documentation > > > formally approved and signed for release to the intended > > > recipient). Only Directors or Duly Authorised Officers are > > > authorised to enter into legally binding obligations on > > > behalf of Ricardo unless the obligation is contained within a > > > Ricardo Purchase Order. Ricardo may monitor outgoing and > > > incoming e-mails and other telecommunications on its e-mail > > > and telecommunications systems. > > > > By replying to this e-mail you give your consent to such > > > monitoring. The recipient should check this email and any > > > attachments for the presence of viruses. Ricardo accepts no > > > liability for any damage caused by any virus transmitted by > > > this email. 'Ricardo' means Ricardo Plc and its > subsidiary companies. > > > > > > > > Ricardo plc is a public limited company registered in > > > England with registered number 00222915. The registered > > > office of Ricardo plc is Bridge Works, Shoreham-by-Sea, West > > > Sussex, BN43 5FG. > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - > > > - - - - - - - - - - - - - - - - - - - - - - > > > > > > > > - > > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > -- > > > > > > --Mike > > > > > > ----------------------------------- > > > Michael Griego > > > Wireless LAN Project Manager > > > The University of Texas at Dallas > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- > > --Mike > > ----------------------------------- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html