Re: authenticate problem XP eap/tls

Tue, 11 Oct 2005 11:03:43 -0700

When I enable RASTLS, I see the following error:
 
[1304] 19:33:27:968: EapTlsInvokeIdentityUI
[1304] 19:33:27:968: GetCertInfo
[1304] 19:33:27:984: FCheckSCardCertAndCanOpenSilentContext
[1304] 19:33:27:984: FGetEKUUsage
[1304] 19:33:27:984: Acquiring Context for Container Name: {226FADA0-66DE-4423-BFBF-448D710E1BF2}, ProvName: Microsoft Base Cryptographic Provider v1.0, ProvType 0x1
[1304] 19:33:28:000: FCheckTimeValidity
[1304] 19:33:28:000: Add Selected Cert to List
[1304] 19:33:28:000: FCheckSCardCertAndCanOpenSilentContext
[1304] 19:33:28:000: FGetEKUUsage
[1304] 19:33:28:000: Acquiring Context for Container Name: {F4FC41A8-ECDF-4B9A-A613-A457D74DDFF8}, ProvName: Microsoft Enhanced Cryptographic Provider v1.0, ProvType 0x1
[1304] 19:33:28:015: FCheckTimeValidity
[1304] 19:33:28:015: Add Selected Cert to List
[1304] 19:33:28:015: GroupCertificates
[1304] 19:33:35:078:
[1304] 19:33:35:078: EapTlsBegin(Jurgen Tessers)
[1304] 19:33:35:078: State change to Initial
[1304] 19:33:35:078: EapTlsBegin: Detected 8021X authentication
[1304] 19:33:35:078: MaxTLSMessageLength is now 16384
[1304] 19:33:35:078:
[1304] 19:33:35:078: EapTlsMakeMessage(jurgen tessers)
[1304] 19:33:35:078: >> Received Request (Code: 1) packet: Id: 1, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1304] 19:33:35:078: EapTlsCMakeMessage
[1304] 19:33:35:078: EapTlsReset
[1304] 19:33:35:078: State change to Initial
[1304] 19:33:35:078: GetCredentials
[1304] 19:33:35:078: Flag is Client and Store is Current User
[1304] 19:33:35:078: GetCachedCredentials
[1304] 19:33:35:078: FreeCachedCredentials
[1304] 19:33:35:078: AssociatePinWithCertificate
[1304] 19:33:35:093: The name in the certificate is: Jurgen Tessers
[1304] 19:33:35:093: Will validate server cert
[1304] 19:33:35:125: MakeReplyMessage
[1304] 19:33:35:125: SecurityContextFunction
[1304] 19:33:35:125: InitializeSecurityContext returned 0x90312
[1304] 19:33:35:125: State change to SentHello
[1304] 19:33:35:125: BuildPacket
[1304] 19:33:35:125: << Sending Response (Code: 2) packet: Id: 1, Length: 80, Type: 13, TLS blob length: 70. Flags: L
[2448] 19:33:35:140:
[2448] 19:33:35:140: EapTlsMakeMessage(jurgen tessers)
[2448] 19:33:35:140: >> Received Request (Code: 1) packet: Id: 2, Length: 1030, Type: 13, TLS blob length: 1020. Flags: L
[2448] 19:33:35:140: EapTlsCMakeMessage
[2448] 19:33:35:140: MakeReplyMessage
[2448] 19:33:35:140: Reallocating input TLS blob buffer
[2448] 19:33:35:140: SecurityContextFunction
[2448] 19:33:35:281: InitializeSecurityContext returned 0x80096004
[2448] 19:33:35:281: State change to RecdFinished. Error: 0x80096004
[2448] 19:33:35:281: BuildPacket
[2448] 19:33:35:281: << Sending Response (Code: 2) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags:
[2448] 19:33:35:281:
[2448] 19:33:35:281: EapTlsMakeMessage(jurgen tessers)
[2448] 19:33:35:281: >> Received Request (Code: 1) packet: Id: 3, Length: 10, Type: 13, TLS blob length: 0. Flags: L
[2448] 19:33:35:281: EapTlsCMakeMessage
[2448] 19:33:35:281: Unexpected code: 1 in state RecdFinished
[2448] 19:34:05:296: EapTlsEnd
[2448] 19:34:05:296: EapTlsEnd(jurgen tessers)
[2448] 19:34:05:296: Auth failed so freeing cached creds.
[2448] 19:34:05:296: FreeCachedCredentials
[2448] 19:34:05:296:
[2448] 19:34:05:296: EapTlsBegin(Jurgen Tessers)
[2448] 19:34:05:296: State change to Initial
[2448] 19:34:05:296: EapTlsBegin: Detected 8021X authentication
[2448] 19:34:05:296: MaxTLSMessageLength is now 16384
 
etc, etc . . ..
----- Original Message -----
Sent: Monday, October 10, 2005 2:18 AM
Subject: Re: authenticate problem XP eap/tls

Make sure that you either don't validate the server certificate, or that if you do, that the CA is selected.

The XP supplicant will just keep hammering at the server without accepting the response if the CA / server checking doesn't pass.

The other thing to do is look at the RASTLS (and/or EAPOL) logs.

eg: 
netsh ras set tracing rastls enabled

And then take a look at the files in c:\windows\tracing

Cheers,


Ben

On 10/10/05, Thuis Algemeen <[EMAIL PROTECTED]> wrote:
Thanks Allan,

I used a file called xpextensions with both a client section and server a
server section.
The client certificate present on the laptop display's : Clientverificatie
(1.3.6.1.5.5.7.3.2)
The server certificate present on the server display's : Verificatie van de
server (1.3.6.1.5.5.7.3.1)

----- Original Message -----
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" < freeradius-users@lists.freeradius.org>
Sent: Sunday, October 09, 2005 5:49 PM
Subject: Re: authenticate problem XP eap/tls


> "Thuis Algemeen" < [EMAIL PROTECTED]> wrote:
>>  Here the log from freeradius, the onl error I can see is :
>> "TLS_accept:error in SSLv3 read client certificate A".
>
>  That error is in the middle of the authentication session, and
> doesn't mean anything.
>
>  Do the certificates you're using have the Windows OID?
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to