EAP-TLS: machine authentication

Joe Meslovich Wed, 21 Jul 2004 06:52:15 -0700

I am trying to get machine authentication working using freeradius and a
Windows XP SP1 client. I originally tried to make this work with
freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work.


Here is what I see when I sniff the traffic between the client and the AP
using ethereal.

Client                                   AP
------                                  ----
EAPOL Start             --->

                        <---            Request, Identity

Response, Identity      --->

                        <---            Request, EAP-TLS


And that is it. The client never responds to the Request, EAP-TLS. Below
is the contents of that last packet from the AP to the client:

802.1x Authentication
        Version: 1
        Type:   EAP Packet (0)
        Length: 6
        Extensible Authentication Protocol
                Code: Request (1)
                Id: 17
                Length: 6
                Type: EAP-TLS [RFC2716] [Adoba] (13)
                Flags (0x20): Start

On the server side I see the following

rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73,
length=173
        User-Name = "host/testwire.bridgewater.edu"
        NAS-IP-Address = 147.138.120.170
        Called-Station-Id = "00-20-a6-52-b4-6c"
        Calling-Station-Id = "00-90-4b-7d-d5-47"
        NAS-Identifier = "WritingWAP"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0212002201686f73742f74657374776972652e62726964676577617465722e656475
        Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a
Invalid operator for item Prefix: reverting to '=='
Sending Access-Challenge of id 73 to 147.138.120.170:6001
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x011300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc3ff0ce5bfdff596d099ec32ec73aece


I am not sure why the XP client never responds to the Request, EAP-TLS
packet. On the XP client I have it set to do machine authentication. In
the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before
I set AuthMode I received errors about not being able to find a
certificate to use. Setting SupplicantMode to 3 did not change the
behavior. I have a certificate with a CN of testwire.bridgewater.edu in
the personal store of the local computer account.

I just don't understand what is happening and any help would be greatly
appreciated.


----------------------------------------------------------------------------
Joe Meslovich                                           [EMAIL PROTECTED]
Associate Network/Systems Engineer                      IT Center
Tel: (540) 828 - 5343


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS: machine authentication

Reply via email to