I just wanted to add some information to this message. I turned on EAPOL
file tracing in the registery. When I look at the trace log that is
created on the client and error is occuring when the client should be
generating the response that contains its credentials. The error code in
the EAPOL log is -2146893802. From what I've seen that error code has to
do with not finding a keyset pair.
When doing machine authentication do the certificates need to be installed
in a special manner? When I go into mmc I see the certificates that I
installed in the local computer store.
Joe Meslovich
On Wed, 21 Jul 2004, Joe Meslovich wrote:
>
> I am trying to get machine authentication working using freeradius and a
> Windows XP SP1 client. I originally tried to make this work with
> freeradius 0.9.3, but then moved to 1.0.0pre3 in hopes of making it work.
>
> Here is what I see when I sniff the traffic between the client and the AP
> using ethereal.
>
> Client AP
> ------ ----
> EAPOL Start --->
>
> <--- Request, Identity
>
> Response, Identity --->
>
> <--- Request, EAP-TLS
>
>
> And that is it. The client never responds to the Request, EAP-TLS. Below
> is the contents of that last packet from the AP to the client:
>
> 802.1x Authentication
> Version: 1
> Type: EAP Packet (0)
> Length: 6
> Extensible Authentication Protocol
> Code: Request (1)
> Id: 17
> Length: 6
> Type: EAP-TLS [RFC2716] [Adoba] (13)
> Flags (0x20): Start
>
> On the server side I see the following
>
> rad_recv: Access-Request packet from host 147.138.120.170:6001, id=73,
> length=173
> User-Name = "host/testwire.bridgewater.edu"
> NAS-IP-Address = 147.138.120.170
> Called-Station-Id = "00-20-a6-52-b4-6c"
> Calling-Station-Id = "00-90-4b-7d-d5-47"
> NAS-Identifier = "WritingWAP"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message =
> 0x0212002201686f73742f74657374776972652e62726964676577617465722e656475
> Message-Authenticator = 0x3a892a05d25aa847b9be3c33cd9a7b4a
> Invalid operator for item Prefix: reverting to '=='
> Sending Access-Challenge of id 73 to 147.138.120.170:6001
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x011300060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xc3ff0ce5bfdff596d099ec32ec73aece
>
>
> I am not sure why the XP client never responds to the Request, EAP-TLS
> packet. On the XP client I have it set to do machine authentication. In
> the registry I set the AuthMode value to 2 and SupplicantMode to 3. Before
> I set AuthMode I received errors about not being able to find a
> certificate to use. Setting SupplicantMode to 3 did not change the
> behavior. I have a certificate with a CN of testwire.bridgewater.edu in
> the personal store of the local computer account.
>
> I just don't understand what is happening and any help would be greatly
> appreciated.
>
>
> ----------------------------------------------------------------------------
> Joe Meslovich [EMAIL PROTECTED]
> Associate Network/Systems Engineer IT Center
> Tel: (540) 828 - 5343
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
----------------------------------------------------------------------------
Joe Meslovich [EMAIL PROTECTED]
Associate Network/Systems Engineer IT Center
Tel: (540) 828 - 5343
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
